Skip to main content

Add as a preferred source on Google


News

UPDATED: Security Hack Exposes Forms Authentication in ASP.NET


Two security researchers, Thai Duong and Juliano Rizzo, have discovered a bug in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in ASP.NET. Using their tool (the Padding Oracle Exploit Tool or POET), they can repeatedly modify an ASP.NET Forms Authentication cookie (normally encrypted using AES) and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.

Once the Machine Key is determined, attackers can create bogus forms authentication cookies. If site designers have chosen the option to embed role information in the security cookie, then attackers could arbitrarily assign themselves to administrator roles. This exposure also affects other membership provider features, spoofing protection on the ViewState, and encrypted information that might be stored in cookies or otherwise be made available at the client. The attack will reportedly work on any block-cipher encryption mechanism (e.g. 3DES, MARS) implemented using the .NET encryption tools.

Microsoft is recommending, as a workaround, reducing information returned to the client in the event of an error to prevent intruders from gathering the information needed to determine the Machine Key. You can read more on that here. The simplest solution is, in the site's web.config file, to add or replace the customErrors tag inside the system.web element. The tag should point to an error page that provides no feedback on the error. A typical entry would look like this (where error.html is some html-only page in the same folder as the web.config file):

 <customErrors mode="On" defaultRedirect="~/error.html" />

On a Web farm, these changes will have to be made on all the servers in the farm.

A video, posted Thursday, Sept. 16 on YouTube shows Thai Duong demonstrating the attack using POET. They have said they intend to provide the slide deck for their presentation on September 17 at the ekoparty Security Conference.

About the Author

Peter Vogel is a system architect and principal in PH&V Information Services. PH&V provides full-stack consulting from UX design through object modeling to database design. Peter tweets about his VSM columns with the hashtag #vogelarticles. His blog posts on user experience design can be found at http://blog.learningtree.com/tag/ui/.

comments powered by Disqus

Featured

  • Hands On with GitHub Copilot App Technical Preview: Turning a Blazor Issue into a PR

    GitHub's brand-new Copilot desktop app, in technical preview, handled a small Blazor issue from planning through pull request creation, but the hands-on test also showed why developers still need to verify agent work in the running app before merging.

  • At Build 2026, Microsoft Sets Up Windows as an OS for AI Agents

    Microsoft's Build 2026 Windows developer announcements point to a broader platform strategy for agentic AI, spanning terminal workflows, local models, app-building skills, Cloud PCs and operating system-level containment.

  • Slammed by Copilot Usage-Based Billing on Day 1, Facing $180 Bill for June

    A journalist using GitHub Copilot Pro details how a broken editorial workflow on day one of usage-based billing led to runaway token consumption, a projected $180 monthly bill, and practical tactics for cutting AI credit burn.

  • AdaBoost.R2 Regression Using C#

    AdaBoost.R2 regression works by building an ensemble of decision trees, training them on reweighted data, and combining their predictions with a weighted median, while also showing how parameter choices affect accuracy and overfitting.

Most   Popular

Subscribe on YouTube