ksharp
kpantos

ASP.NET Security Vulnerability Or Not

44 sec read

Last week two security researchers, Thai Duong and Juliano Rizzo, have discovered a bug in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in ASP.NET.

Using their tool (the Padding Oracle Exploit Tool or POET), they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.

Everyone immediately focused on the bug not mentioning what is commonly known as good practice and applied to every production site by any decent software developer “Never expose your production server errors (exceptions) to the client” failing to do so exposes your server to a number of threats not only the one described in the above security vulnerability.

There are several ways you could achieve that and Scott Gu mentions the easiest one in his blog post. An other way you could hide errors from your clients is by handling the Application_Error event in the web app’s Global.asax like this

void Application_Error(object sender, EventArgs e)
{
  try
  {
    Exception ex = Server.GetLastError();

                //Log any way you feel like

    Server.ClearError();
  }
  catch (Exception ex){	}
  finally
  {
    Response.Redirect("~/error.htm");
  }
}
kpantos
«
»

Cloud development with Azure and Visual Studio

This session is so awesome, I just had to post it here so that I can play it over and over again… What great...
kpantos
Nov 13, 2014 5 sec read

Theme update

Back in August when I migrated my blog to Windows Azure Websites and WordPress, I mentioned that I was also looking to...
kpantos
Dec 1, 2012 1 min read

jVectorMap

Before HTML5 when it came to creating rich interactive maps where one could hover or click any region and see details about them, Flash...
kpantos
Aug 6, 2012 26 sec read

3 Replies to “ASP.NET Security Vulnerability Or Not”

  1. We trap and replace errors using Application_Error event handler much like what you have in your sample.
    I know that this hides the error from users, but does it protect against the vulnerability they found?
    Is Microsoft officially saying it does?

    Also I see that you mention Forms Authentication.
    Is the vulnerability limited to apps that use Forms Authentication?

    Microsoft”s postings are so vague regarding the nature of the vulnerability …

  2. Yes you can protect your application from this vulnerability using this method.
    Microsoft”s way does not require code, it redirects all errors in a custom page using the web.config custom error section.
    Forms authentication cookie is present only if you use Forms authentication (have the corresponding section on your web.config).
    Microsoft”s postings are vague because the nature of the vulnerability hasn”t been establised yet.

Leave a Reply

Your email address will not be published. Required fields are marked *