3

Does anyone could put me a very basic example of an asp.net web application which is vulnerable to the padding oracle attack.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Robie
  • 305
  • 1
  • 3
  • 7
  • All applications were vulnerable to the attack before the patch. Especially if you used ViewState. – TheGeekYouNeed Oct 21 '10 at 09:07
  • Yes I know but I'm not familiar with asp.net programmation... So could you past me an example please. With viewstate using for example – Robie Oct 21 '10 at 09:37
  • 2
    What's the purpose of your request? Trying to hack the site of one of your competitors? – Kris van der Mast Oct 21 '10 at 10:15
  • I want to try the vuln on my own site... that's why I ask for a source code because I don't know how to code in asp.net – Robie Oct 21 '10 at 10:46

2 Answers2

1

Try the steps at the following two sites to test your site.

http://blog.dotsmart.net/2010/09/22/asp-net-padding-oracle-detector/

http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html

Hope that helps

Dave Walker
  • 3,498
  • 1
  • 24
  • 25
0

I know it's a very late answer, but maybe someone will be looking for this info.

Old versions of ASP.NET were vulnerable to the Padding Oracle Attack. It is still possible to enforce the "old" behavior through some tweaks. I described them in detail on my blog and the sample code is on GitHub.

We will be attacking the VIEWSTATE field. First, you need to disable ViewState signing. To do that, make sure you have the following setting in the web.config file:

<appSettings>
  <add key="aspnet:UseLegacyMachineKeyEncryption" value="true" />
</appSettings>

And a sample .ashx file vulnerable to the Padding Oracle Attack:

<%@ WebHandler Language="C#" Class="EncryptionHandler" %>

using System;
using System.Linq;
using System.Reflection;
using System.Web;
using System.Web.Security;
using System.Text;

public class EncryptionHandler : IHttpHandler
{
    static readonly byte[] secret = Encoding.UTF8.GetBytes("Some text to break.");

    public void ProcessRequest(HttpContext context)
    {
        var viewState = context.Request.Form["VIEWSTATE"];

        if (viewState == null) {
            viewState = MachineKey.Encode(secret, MachineKeyProtection.Encryption);
            context.Response.ContentType = "text/html";
            context.Response.Write("<!doctype html><html><form action=\"/EncryptionHandler.ashx\" method=\"POST\">" +
                "<input type=\"hidden\" name=\"VIEWSTATE\" value=\"" + viewState + "\" />" +
                "<input type=\"submit\" value=\"Test\" /></form></html>");
            return;
        }

        var v = MachineKey.Decode(viewState, MachineKeyProtection.Encryption);
        context.Response.ContentType = "text/plain";
        if (v.SequenceEqual(secret)) {
            context.Response.Write("I know the secret");
        } else {
            context.Response.Write("Something is wrong with my secret.");
        }
    }

    public bool IsReusable {
        get {
            return false;
        }
    }
}

Now, based on the HTTP code (HTTP 500 when the cipher is invalid) you may try attacking the site (as described here).

Sebastian
  • 3,764
  • 21
  • 28