ASP.NET padding attack

September 21, 2010 § 2 Comments

I don’t usually post news, but there’s been a great deal of noise lately regarding the ASP.NET padding attack. Most of it something to the effect of, “Huge Gaping Security Hole in ASP.NET Big Enough To Drive A Bus Through!” which is probably a little overblown, but only a little.

Microsoft posted a security advisory on Friday last week. Scott Guthrie’s blog entry popped up soon after with details about the vulnerability, how to work around it, and how to test for it.

Ok, so this is kind of a big deal. There’s an exploit in the wild which allow a user to read and modify viewstate and cookies. So once a user is in, they can wreak havoc on your app.

Now, quotes from The Register like the following make me roll my eyes. I’m sure that apps which store database connection strings in View State are out there – I’ve seen some really bad code, but I’ve never seen an app do that.

…The View State page, which can be used to store passwords, database connection strings and other sensitive data, is supposed to remain unreadable….

However, even if there isn’t anything quite that stupid, what else is there? For one thing, storing something like a database id to a particular customer in View State isn’t even regarded as poor practice. How many times have you seen (or written) something like this?

public partial class Example : System.Web.UI.Page
    public int? CustomerId
            int customerId;
            if (int.TryParse(Convert.ToString(ViewState["CustomerId"]), out customerId))
                return customerId;
            return null;
            ViewState["CustomerId"] = value;
    protected void Page_Load(object sender, EventArgs e)
        // ...

So even excusing other gaping security holes, I have the potential to have a user, who is supposed to only be authenticated for one customer, to see report data, place orders, get payment information, retrieve personal / company details and more, for another customer. They can simply tweak the View State and bypass the security mechanisms that are in place to segregate users.

So, wow, yeah, that’s huge. The worse part is that the security concern is not just inside the circle, so to speak. It’s not a safe assumption (at all) to assume that your existing users (the ones that have even some access to the system) are not likely to malicious. It does however, give you better odds, just because your user base is less than everyone on the internet (unless you’re Facebook – then it’s the same odds). For this exploit, though, there is the potential for everyone to gain access to your app.

You see, Forms Authentication is stored client-side in a cookie. So if your app is using Forms Authentication, users now have a way to spoof a Forms Authentication Cookie (including whatever roles they would like) and gain access to your system.

So, yeah, I’d say that’s a “Huge Gaping Security Hole in ASP.NET Big Enough To Drive A Bus Through!”.

Go read the Microsoft Security Advisory and implement the suggested changes. Talk to your clients or your boss, explain the severity of the issue and get some time to fix it.

Check out the video demonstration of the exploit:


Tagged: , , , , , , , , , , ,

§ 2 Responses to ASP.NET padding attack

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

What’s this?

You are currently reading ASP.NET padding attack at Mike Vallotton's Blog.


%d bloggers like this: