Focus on New ASP.NET Vulnerability


A new ASP.NET Vulnerability is released by Microsoft. The security hole will allow the attacker to decrypt the ViewState data or retrieve the contents of web.config. ASP.NET uses encryption to hide sensitive information from tampering by client. Due to vulnerability in encryption implementation, attacker can decrypt the data like passwords stored in the ViewState object. Since, the ViewState object is encrypted and sent to client in a hidden field, it is possible to decrypt by the attacker.

In ASP.NET 3.5 SP1 or above, attacker could use above encryption vulnerability to request contents of any files within ASP.NET application like web.config. By this way, attacker can access any file in the ASP.NET application, which can be accessed by worker process.

The workaround for this issue is, to configure CustomErrors feature of ASP.NET applications to return same error page irrespective of server error as shown below:

<configuration>
  <location allowOverride="false">
    <system.web>
      <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
    </system.web>
  </location>
</configuration>

Now, create an ErrorPage.aspx as shown below:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
        void Page_Load() {
        byte[] delay = new byte[1];
        RandomNumberGenerator prng = new RNGCryptoServiceProvider();
        prng.GetBytes(delay);
        Thread.Sleep((int)delay[0]);
        IDisposable disposable = prng as IDisposable;
        if (disposable != null) { disposable.Dispose(); }
    }
</script>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
    <title></title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>

This will prevent the attacker to distinguish different types of errors.

For more information, refer:


I hope this article will be helpful for all.


Similar Articles