Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?
Asked in another way... what did MSFT do wrong and what did they fix in their handlers?
Asked
Active
Viewed 457 times
2 Answers
0
I think the wronge is that they give "too much" informations about the error.
@Sri here analyze it very well
How serious is this new ASP.NET security vulnerability and how can I workaround it?
-
Which error? How would I improperly implement the same thing in my code? – makerofthings7 Oct 29 '10 at 00:50
-
@MakerOfThings7 The error that you get when you give a false key to decrypt. – Aristos Oct 29 '10 at 00:52
0
There were 3 problems with WebResource.axd and ScriptResource.axd:
- Working as a padding oracle. This is because these decrypted information send in the query string, and behaved differently when the decrypted string had invalid vs. valid padding - because it had been tampered with. The fix Microsoft made included using a HMAC to prevent the data from being tampered - this is checked before any padding check, so it doesn't expose padding information
- Relying on normal encryption/decryption to receive a request for a resource/file. It isn't meant for that, a tamper proof mechanism is needed.
- Allowing access of any kind of files, not only JavaScript files
Bottom line, don't allow more access than necessary and only if you really need encryption/decryption tamper proof it.
Back in the day I blogged about how it related to getting different levels of access
eglasius
- 35,831
- 5
- 65
- 110