The past week has contained a bit of uncertainty around the vulnerability to ASP.NET’s security. The good news is that Microsoft has a security update coming to address the issue tomorrow, and should be applauded for responding so quickly. You only have to stop for a moment and think about the level of testing required for anything affecting a product such as the .NET framework to realise that responding within a limited timeline like this is pretty impressive indeed.

However for those who want a bit more technical info (i.e. people who are simply curious about how this stuff works), here’s a collection of interesting posts on the subject.

Firstly, let’s set the scene with a short video demonstrating the exploit in action against DNN. You should note that DNN is a good target due to the fact that some of their default administrator usernames are well known – this makes it easier to exploit the vulnerability. It’s a reminder as to why it’s always good to change these default usernames whenever you have the option to do so.

Now, for some links. Firstly this one - HOWTO: Verify that custom error handling solutions do not expose padding oracle – is a useful post with some good technical info, and a more useful way to verify vulnerability by using Fiddler to visit a couple of variations on requests to WebResource.axd. There’s some good discussions and clarifications that take place in the replies, which are good reading if you want a bit more background information.

Next is a Padding oracle detection script, which comes from the same author as above. This can be used to help verify whether your sites have been properly patched or not.

Finally, a couple of links from ScottGu - Update on ASP.NET Vulnerability and ASP.NET Security Update Shipping Tuesday, Sept 28th.

Stay safe out there!

-Ross