ASP.NET padding attack
September 21, 2010 § 2 Comments
I don’t usually post news, but there’s been a great deal of noise lately regarding the ASP.NET padding attack. Most of it something to the effect of, “Huge Gaping Security Hole in ASP.NET Big Enough To Drive A Bus Through!” which is probably a little overblown, but only a little.
Ok, so this is kind of a big deal. There’s an exploit in the wild which allow a user to read and modify viewstate and cookies. So once a user is in, they can wreak havoc on your app.
Now, quotes from The Register like the following make me roll my eyes. I’m sure that apps which store database connection strings in View State are out there – I’ve seen some really bad code, but I’ve never seen an app do that.
…The View State page, which can be used to store passwords, database connection strings and other sensitive data, is supposed to remain unreadable….
However, even if there isn’t anything quite that stupid, what else is there? For one thing, storing something like a database id to a particular customer in View State isn’t even regarded as poor practice. How many times have you seen (or written) something like this?
public partial class Example : System.Web.UI.Page
public int? CustomerId
if (int.TryParse(Convert.ToString(ViewState["CustomerId"]), out customerId))
ViewState["CustomerId"] = value;
protected void Page_Load(object sender, EventArgs e)
So even excusing other gaping security holes, I have the potential to have a user, who is supposed to only be authenticated for one customer, to see report data, place orders, get payment information, retrieve personal / company details and more, for another customer. They can simply tweak the View State and bypass the security mechanisms that are in place to segregate users.
So, wow, yeah, that’s huge. The worse part is that the security concern is not just inside the circle, so to speak. It’s not a safe assumption (at all) to assume that your existing users (the ones that have even some access to the system) are not likely to malicious. It does however, give you better odds, just because your user base is less than everyone on the internet (unless you’re Facebook – then it’s the same odds). For this exploit, though, there is the potential for everyone to gain access to your app.
You see, Forms Authentication is stored client-side in a cookie. So if your app is using Forms Authentication, users now have a way to spoof a Forms Authentication Cookie (including whatever roles they would like) and gain access to your system.
So, yeah, I’d say that’s a “Huge Gaping Security Hole in ASP.NET Big Enough To Drive A Bus Through!”.
Go read the Microsoft Security Advisory and implement the suggested changes. Talk to your clients or your boss, explain the severity of the issue and get some time to fix it.
Check out the video demonstration of the exploit:
Tagged: asp.net, asp.net padding attack, asp.net padding oracle attack, asp.net security, cookies, forms authentication, padding attack, padding attack wild oracle, security, View State, viewstate, viewstate padding attack