ASP.NET Security Vulnerability Or Not

Last week two security researchers, Thai Duong and Juliano Rizzo, have discovered a bug in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in ASP.NET.

Using their tool (the Padding Oracle Exploit Tool or POET), they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.

Everyone immediately focused on the bug not mentioning what is commonly known as good practice and applied to every production site by any decent software developer “Never expose your production server errors (exceptions) to the client” failing to do so exposes your server to a number of threats not only the one described in the above security vulnerability.

There are several ways you could achieve that and Scott Gu mentions the easiest one in his blog post. An other way you could hide errors from your clients is by handling the Application_Error event in the web app’s Global.asax like this

void Application_Error(object sender, EventArgs e)
{
  try
  {
    Exception ex = Server.GetLastError();

                //Log any way you feel like

    Server.ClearError();
  }
  catch (Exception ex){	}
  finally
  {
    Response.Redirect("~/error.htm");
  }
}
 
Comments

We trap and replace errors using Application_Error event handler much like what you have in your sample.
I know that this hides the error from users, but does it protect against the vulnerability they found?
Is Microsoft officially saying it does?

Also I see that you mention Forms Authentication.
Is the vulnerability limited to apps that use Forms Authentication?

Microsoft”s postings are so vague regarding the nature of the vulnerability …

Yes you can protect your application from this vulnerability using this method.
Microsoft”s way does not require code, it redirects all errors in a custom page using the web.config custom error section.
Forms authentication cookie is present only if you use Forms authentication (have the corresponding section on your web.config).
Microsoft”s postings are vague because the nature of the vulnerability hasn”t been establised yet.

It does work for me, thanks

Leave a Reply