Is ASP.NET MVC 2 vulnerable to the oracle padding attack? If so, what workaround should be implemented? The instructions on Scott Gu's blog appear to only be for Webforms. I tried this: <pre class="prettyprint"><code><customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/Home/ErrorPage" /> </code></pre> however, http://www.example.com/PageThatDoesNotExist still returns a standard 404 error page. EDIT: I see that Scott Gu posted in the comments under his blog post that MVC is vulnerable, but it's still not clear to me exactly how to implement the workaround.

Yes - linkage to the comment by Scott Guthrie. <blockquote> Saturday, September 18, 2010 9:00 PM by ScottGu @Vijay, <blockquote> Will the ASP.NET MVC too get affected? </blockquote> Yes - all versions of ASP.NET are affected, including ASP.NET MVC. Thanks, Scott </blockquote> I see that you've seen the comment, but if you run the vbs script on your server, it should tell you if it's still a problem. Edit: Also, Scott has discussed FAQs in a new post here.

Under your default route you could/should add this for starters <pre class="prettyprint"><code>routes.MapRoute("Catch All", "{*path}", new { controller = "Home", action = "ErrorPage" }); </code></pre> Edit 2 the problem lies in the part <code>redirectMode="ResponseRewrite"</code> without this, it works. using the route though will fix 1 part of the problem, where the path cant be found (404) the next part, like existing paths with bad ID's or other data, could be fixed with <pre class="prettyprint"><code><customErrors mode="On" defaultRedirect="/Home/ErrorPage" /> </code></pre> what exactly does <code>redirectMode="ResponseRewrite"</code> do? Edit: what it does. redirectMode <ul> <li>ResponseRedirect: Specifies that the URL to direct the browser to must be different from the original Web request URL. </li> <li>ResponseRewrite: Specifies that the URL to direct the browser to must be the original Web request URL.</li> </ul> It only matters for .NET 3.5 SP1 and .NET 4.0. Edit 101: For redirectMode="ResponseRewrite" the ASP.NET calls Server.Execute(...) internally, which does not work with MVC routes, so for MVC this only works with a static HTML file. <pre class="prettyprint"><code><customErrors mode="On" defaultRedirect="~/Views/Shared/error.htm" redirectMode="ResponseRewrite" /> </code></pre> works.

Is ASP.NET MVC vulnerable to the oracle padding attack?

Is ASP.NET MVC 2 vulnerable to the oracle padding attack? If so, what workaround should be implemented? The instructions on Scott Gu's blog appear to only be for Webforms.

I tried this:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/Home/ErrorPage" />

however, http://www.example.com/PageThatDoesNotExist still returns a standard 404 error page.

EDIT: I see that Scott Gu posted in the comments under his blog post that MVC is vulnerable, but it's still not clear to me exactly how to implement the workaround.

How does Oracle padding attack work?

The padding oracle attack enables an attacker to decrypt encrypted data without knowledge of the encryption key and used cipher by sending skillful manipulated cipher texts to the padding oracle and observing of the results returned by it. This causes loss of confidentiality of the encrypted data.

What is TLS padding oracle vulnerability?

A TLS padding oracle vulnerability is detected. that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. QID Detection Logic: This QID sends the multiple tls padding payloads to determine the vulnerability.

Yes - linkage to the comment by Scott Guthrie.

Saturday, September 18, 2010 9:00 PM by ScottGu

@Vijay,

Will the ASP.NET MVC too get affected?

Yes - all versions of ASP.NET are affected, including ASP.NET MVC.

Thanks,

Scott

I see that you've seen the comment, but if you run the vbs script on your server, it should tell you if it's still a problem.

Edit: Also, Scott has discussed FAQs in a new post here.

Under your default route you could/should add this for starters

routes.MapRoute("Catch All", "{*path}", new { controller = "Home", action = "ErrorPage" });

Edit 2

the problem lies in the part redirectMode="ResponseRewrite" without this, it works.

using the route though will fix 1 part of the problem, where the path cant be found (404)

the next part, like existing paths with bad ID's or other data, could be fixed with

<customErrors mode="On" defaultRedirect="/Home/ErrorPage" />

what exactly does redirectMode="ResponseRewrite" do?

Edit: what it does.

redirectMode

ResponseRedirect: Specifies that the URL to direct the browser to must be different from the original Web request URL.
ResponseRewrite: Specifies that the URL to direct the browser to must be the original Web request URL.

It only matters for .NET 3.5 SP1 and .NET 4.0.

Edit 101:

For redirectMode="ResponseRewrite" the ASP.NET calls Server.Execute(...) internally, which does not work with MVC routes, so for MVC this only works with a static HTML file.

<customErrors mode="On" defaultRedirect="~/Views/Shared/error.htm" redirectMode="ResponseRewrite" />

works.

Is ASP.NET MVC vulnerable to the oracle padding attack?

Tags:

security

asp.net-mvc

royco

People also ask

2 Answers

Dan Atkinson

Stefanvds

Recent Activity

Donate For Us

Is ASP.NET MVC vulnerable to the oracle padding attack?

Tags:

security

asp.net-mvc

royco

People also ask

2 Answers

Dan Atkinson

Stefanvds

Related questions

Recent Activity

Donate For Us