Vous êtes sur la page 1sur 4
ASWcyxcuaCtnni8eneViotbnemWurealnlrbiRisbseeHaibtanckgi acAtkst February 16, 2012 – 10:12 pm | 2 Comments Read
ASWcyxcuaCtnni8eneViotbnemWurealnlrbiRisbseeHaibtanckgi acAtkst February 16, 2012 – 10:12 pm | 2 Comments Read
ASWcyxcuaCtnni8eneViotbnemWurealnlrbiRisbseeHaibtanckgi acAtkst February 16, 2012 – 10:12 pm | 2 Comments Read
ASWcyxcuaCtnni8eneViotbnemWurealnlrbiRisbseeHaibtanckgi acAtkst February 16, 2012 – 10:12 pm | 2 Comments Read
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability
16, 2012 – 10:12 pm | 2 Comments Read the full story» releases Acunetix Web Vulnerability

releases

Acunetix Web Vulnerability Scanner Product Releases

docs & faqs

Acunetix technical documentation and FAQ

news

Acunetix Company and Web Security news, &Press Releases

events

Acunetix Webinars, Events and Training around the world

web security zone

Everything you need to know about Web Security

hetovntsueaelrboilnciyaaoptHiuprclofohwetick

ASNP.EPyTatdnOdVignieauealrclrbli

Submitted by Bogdan Calin on September 22, 2010 – 5:04 pm

9 Comments

Bogdan Calin on September 22, 2010 – 5:04 pm 9 Comments or not. Everybody’s talking about

or not.

Everybody’s talking about the ASP.NET Padding Oracle vulnerability released a few days ago at the ekoparty Security Conference. However, until now there wasn’t enough information on how do you check if your application is vulnerable

Yesterday, Duncan Smart fromASP.NETforums published some veryuseful information that allows us to do that. An application is vulnerable to a padding oracle attack if it responds differently in the following three cases:

1. When a valid ciphertext is received (one that is properlypadded and contains valid data).

2. When an invalid ciphertext is received (one that is not properlypadded).

3. When a valid ciphertext is received (properly padded) but the decrypted value is not valid for the

application.

How dowe applythis toASP.NET?

The key to attacking ASP.NET is the file WebResource.axd. This file is also used in the exploit video released byJuliano Rizzo. This file can be used as a Padding Oracle because it responds differentlyin all three cases.

Here are the three cases.

1. validciphertext

Make a request like http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2 The response status is 200 OK and the response body is the content of the web resource you’ve requested (some javascript code in mycase).

you’ve requested (some javascript code in mycase). 2. invalidciphertext Make a request like

2. invalidciphertext

Make a request like http://website.com/application/WebResource.axd?d=acunetix The response status is 500 Internal Server Error and the response bodyis some error message.

Server Error and the response bodyis some error message. docs & FAQs » FAQ:How CanI ScanLarge
withMultiple Instances of Acunetix WebVulnerabilityScanner? In order to save time scanning websites, you can run

In order to save time scanning websites, you can run multiple instances of Acunetix Web Vulnerability Scanner (up to two instances with the Small Business Edition, or up to 10 instances with the Consultant and …

OnApril 5th 2012, Jacadis,Acunetix’s reseller in Ohio, USA, will be sponsoring the Detroit Tech-Security Conference and exhibitingAcunetix Web Vulnerability Scanner. This conference is part of a series of high-quality executive symposiums thatAcunetix toBe Exhibitedat | Detroit Tech-Security Conference More articles » are … news » Acunetix

are …

WindowSecurity.comReaders’Choice Award Winner of 2012 Acunetix Web Vulnerability Scanner Wins the

Acunetix Web Vulnerability Scanner Wins the WindowSecurity.comReaders’ ChoiceAward for the Fifth Successive Year Leading Windows Security resource site, WindowSecurity.com, has announced

thatAcunetix Web Vulnerability Scanner has been selected as the winner of the …

We are pleased to announce an updated build of Acunetix Web Vulnerability Scanner 8 (WVS8). Build number 20120508 includes a number of new scheduler features, a new security checkfor PHP-CGI, as well as … More articles » More articles »

WebApplication Firewalls (WAFs) are an excellent last line of defense. Based on what Isee in my testing they’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. …as well as … More articles » websecurityzone » WebApplicationFirewalls andthe False Sense of SecurityTheycanCreate

SQL injection. … Pricing News Partners Support About us Contact converted by Web2PDFConvert.com
More articles » Archive Links May 2012 Acunetix Forums 3.validciphertext but invaliddata Make a request
More articles »
Archive
Links
May 2012
Acunetix Forums
3.validciphertext but invaliddata
Make a request like http://website.com/application/WebResource.axd?d=
The response status is 404 Not Foundand the response bodyis some error message.
April 2012
Darknet.org.uk
March 2012
JACADISThought
February 2012
Nickon IT
January 2012
WebsiteDefender.com
December 2011
Get notifiedof new blogposts byemail
Enter your email address:
Subscribe
This is the padding oracle that allows an attacker to exploit this vulnerability. If your application responds
differentlyin all of these three cases, it’s vulnerable.
Delivered by FeedBurner
Veryimportant: Setting CustomErrors to “On” or “RemoteOnly” (in web.config) doesn’t solve this problem
because the padding oracle is still there (the error message displayed on the 500 error page is not
important for this vulnerability). Therefore, the only solution is the one presented byScott Guthrie. Edit
web.configto use redirectMode set to ResponseRewrite and defaultRedirect to an error page defined by
you.
JoinAcunetix onFacebook
Acunetix on Facebook
Like
1,518 people like Acunetix.
1
<configuration>
2
<system.web>
3
<customerrors mode="On" redirectmode="ResponseRewrite"
defaultredirect="~/error.aspx">
4
</customerrors></system.web>
Ahmad
Başak
Lex
Ilias
Nero
5
</configuration>
Once this workaround is applied, the application will return the same status code and response bodyin
all three cases. If you are using .NETFramework version 3.5 SP1 or 4.0, it’s even better.
Facebook social plugin
If you are using .NET Framework version 3.5 SP1 or 4.0, the workaround provides further protection
by also helping to mitigate against potential timing analysis attacks. The workaround uses the
redirectMode=”ResponseRewrite” option in the customErrors feature, and introduces a random
delay in the error page. These approaches work together to make it more difficult for an attacker to
deduce the type of error that occurred on the server bymeasuring the time it took to receive the error.
Acunetix onTwitter
You need more than a WAFto ensure your #websecurity.
Here are some additional measures you need to take
http://t.co/Ugb3us4b #acunetix 02:08:23 PMMay 10, 2012
fromweb ReplyRetweetFavorite
Anew build of #Acunetix WVS8 has been released!Check
what’s new inAcunetix WVS8 and how to upgrade to build
20120508 http://t.co/ZqmLyJIB12:23:42 PMMay 08, 2012
fromweb ReplyRetweetFavorite
Learn how to scan large websites more efficiently using
the #Acunetix Web Vulnerability Scanner
http://t.co/GuNwlsb9 03:19:47 PMMay 03, 2012 fromweb
ReplyRetweetFavorite
#Acunetix Web Vulnerability Scanner offers you the
possibility of scanning multiple websites simultaneously
http://t.co/B7dyOSN4 01:18:22 PMApril 26, 2012 fromweb
ReplyRetweetFavorite
Today we’ve released an update for Acunetix WVS that is automatically checks if your application is
vulnerable or not to this ASP.NETvulnerability.
Follow Acunetix on
9 Comments »
Calandale says:
September 22, 2010 at 11:10 pm
The microsoft advisory implies that this vulnerability can be exploited to ends other than merely
advisory implies that this vulnerability can be exploited to ends other than merely converted by Web2PDFConvert.com
decrypting application information. In particular, disclosure of files on the systemitself. Has anyone investigated this
decrypting application information. In particular, disclosure of files on the systemitself. Has anyone investigated
this claim? If this is indeed exploitable, this is a situation which is far more worrisome than the exploit which was
demonstrated.
Too, this tool doesn’t reflect the observation that Thai Duong made – which is that the actual response codes are
unnecessary, timing attacks can give the same information.
AcunetixWVSVersion 7 build 20100921 released |AcunetixWebApplication SecurityBlog says:
September 22, 2010 at 11:29 pm
[
]
bug fixes, this build will also automaticallycheck for the latest OpenXOFC file upload and the
ASP.NETpadding Oracle [
]
TheTestManager says:
September 22, 2010 at 11:39 pm
Are you aware if by using ResponseRewrite and defaultRedirect it is still possible to carry out
Oracle Padding using the response status codes instead of the response body?
This way attackers could still lookfor status response codes 302 which would happen on the non-valid
ciphertext as you get redirected to the new customerror. which would then give a 200?
Or does the setting of responserewrite and defaultredirect get around that possible attackscenario?
Bogdan Calin says:
September 23, 2010 at 3:12 am
@Calandale Yes, frommy understanding it’s possible to read the contents of any file fromthe
application directory. The WebResource.axd file can be used to do exactly that. You have to prepare the right
value for the d parameter (this parameter specifies what resource/file you want to read). You can do that after
you’ve recovered the encryption key.
The workaround that uses the redirectMode=”ResponseRewrite” option in the customErrors feature introduces
a
randomdelay in the error page. Therefore, timing attacks don’t workanymore.
Bogdan Calin says:
September 23, 2010 at 3:18 am
@TheTestManager Frommy tests, after you’ve configured ResponseRewrite and defaultRedirect
there are no redirects (301/302) to the customerror page. Ijust see a 200 status code. Our tool (HTTPEditor)
doesn’t automatically follow redirects.
Vulnerabilidad Padding Oracle enASP.NET« WillyXoft says:
September 23, 2010 at 10:53 am
[
]
How to check if your application is vulnerable to theASP.NETPadding Oracle Vulnerability[
]
Week 38 in Review – 2010 | Infosec Events says:
September 27, 2010 at 7:42 pm
[
]
How to check if your application is vulnerable to theASP.NETPadding Oracle Vulnerability–
acunetix.com [
]
Soroush says:
September 27, 2010 at 11:33 pm
In
Case 3 “valid ciphertext but invalid data” (“When a valid ciphertext is received (properly padded)
but the decrypted value is not valid for the application.”), is it the same to change only 1 letter of a valid cipher to
an invalid one? For example, can we use this one:
http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA1
when the valid one is:
http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2
(I’ve changed “jzjghMVYzFihd9Uhe_arpA2″ to “jzjghMVYzFihd9Uhe_arpA1″)
?
Thanks
ASP.NETPadding Oracle | The Chronicles of Jon says:
October 7, 2010 at 5:20 am
? Thanks ASP.NETPadding Oracle | The Chronicles of Jon says: October 7, 2010 at 5:20 am
[ ] How to check if your application is vulnerable to theASP.NETPadding Oracle Vulnerability[ ]
[
]
How to check if your application is vulnerable to theASP.NETPadding Oracle Vulnerability[
]
Leave a comment!
Add your comment below, or trackback from your own site. You can also subscribe to these comments
via RSS.
Be nice. Keep it clean. Stayon topic. No spam.
Name (required)
Mail (will not be published) (required)
Website (optional)
You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite="">
<cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at
Gravatar.
Submit Comment
recent posts
most commented
categories
WebApplication Firewalls and the False Sense of
Security They can Create
Statistics from10,000 leaked Hotmail passwords
docs &FAQs
Acunetix Web Vulnerability Scanner Introduces New
Security Checkfor PHP-CGIInstallations
HTTPPost Denial Of Service: more dangerous than
initially thought
events
featured
Latest Comparison Report fromLarry Suto
news
FAQ: How Can IScan Large Websites with Multiple
Instances of Acunetix Web Vulnerability Scanner?
CubeCart 4 session management bypass leads to
administrator access
releases
FAQ: How do IScan Multiple Websites withAcunetix
Web Vulnerability Scanner?
web security zone
Changes coming to the OWASPTop 10 in 2010
Acunetix Web Vulnerability Scanner Voted
WindowSecurity.comReaders’ ChoiceAward Winner
of 2012
articles
whitepapers
Powered by WordPress| Log in | Entries(RSS) | Comments(RSS) | Arthemia Premium theme by ColorlabsProject
Log in | Entries(RSS) | Comments(RSS) | Arthemia Premium theme by ColorlabsProject converted by Web2PDFConvert.com