AppSec Blog: Tag - ASP.NET

ASP.NET Padding Oracle Vulnerability

A very serious vulnerability in ASP.NET was revealed this past month that allows attackers to completely compromise ASP.NET Forms Authentication, among other things. When things like this happen, as developersit's important to see what lessons can be learned in order to improve the defensibility of our software. Source: 'Padding Oracle' Crypto Attack Affects Millions of … Continue reading ASP.NET Padding Oracle Vulnerability

Session Attacks and ASP.NET - Part 2

In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET's session architecture and authentication architecture. In this post, I'll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures. Attack Scenario: ASP.NET Session with Forms Authentication So understanding the … Continue reading Session Attacks and ASP.NET - Part 2

Session Attacks and ASP.NET - Part 1

I've spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven't looked at 4.0 beta yet). Before illustrating how a specific attack works with some specific countermeasures for ASP.NET (in … Continue reading Session Attacks and ASP.NET - Part 1