ASP.NET Forms Authentication Vulnerabilities

Question

I was reading this SO question when I was struck by @Slauma's link response (included here) to the chosen answer written by @reach4thelasers. It's a blog post of how to crack ASP.NET's forms authentication wide open and collect the remote machine key in about half an hour's time.

There were some responses to the blog post that mentioned this was only possible if you didn't do some specific things, but I was not clear on what those specific things were (something about a custom errors page, but the video didn't seem to hit any error page). It also mentioned MS had recommendations to avoid these sorts of attacks, but there was no link to the recommendation.

So, first up, can someone clearly explain what is necessary, when developing an ASP.NET forms authentication system, to prevent exploitations like the one mentioned above?

Secondly, are there any other well-known exploits in ASP.NET forms authentication that a certain best practice (that is not implemented by default) will mitigate or prevent? I am building a public site with financial data, so this is of serious concern to me.

Answer 1

This was already addressed a long time ago: http://technet.microsoft.com/en-us/security/bulletin/MS10-070

Scott Gu wrote about it at the time http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx

This SO question covers some the impact of the issue Is it vulnerable to ASP Padding oracle

I would say that the main take away is that patches and upgrades in frameworks are are less dangerous than leaving production apps at an old framework, old patch level, something that the change control boards of large organizations see in reverse. They generally fear the patches & updates more than the possibility of vulnerabilities in existing code.