Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why did Scott Guthrie suggest us to use a random, small sleep delay in a Error.aspx?

Tags:

asp.net

asp.net-mvc

I cannot figure out, how can a random, small sleep delay can be a solution to prevent an attacker from probing our site.

This is his code snippet:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
void Page_Load() {
  byte[] delay = new byte[1];
  RandomNumberGenerator prng = new RNGCryptoServiceProvider();

  prng.GetBytes(delay);
  Thread.Sleep((int)delay[0]);

  IDisposable disposable = prng as IDisposable;
  if (disposable != null) { disposable.Dispose(); }
}
</script>

<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
    An error occurred while processing your request.
</div>
</body>
</html>
like image 605
xport Avatar asked Sep 28 '10 02:09

xport

2 Answers

This is to prevent people constantly triggering your error page and exploiting the recent ASP.NET vulnerability. They need a large number of failures to take advantage of this exploit.

The sleep delay will not 'prevent' access to your page. Think of it as being analogous to brute forcing a password; if you have to wait 5 seconds between guesses instead of 5ms, you will take a little more time to find the pw.

like image 180
Alex Avatar answered Oct 23 '22 21:10

Alex

In simple terms the vunerability is about guessing a really long password. (which is the key used to encrypt your session state, amongst other things?)

Imagine you wrote a routine to check a password:

   bool checkPassword(string userInput)
   {
      for(int index = 0; index < password.length; index++)
      {
        if(userInput[index] != password[index]) {
             return false;
        }
      }

      return true;
   }

This would allow a timing attack on the password algorithm, because you can check a character a time, because it takes longer the more correct your password is. ie. Imagine the password is 'carrots'

calling checkPassword('ca') will take longer than checkPassword('aa'), so you can iterate through the character at a time.

Because somewhere in the asp.net stack there is a bad implementation like this, adding a random sleep helps throw out the timing attack... (but it is not perfect I imagine)

For more information see:

http://en.wikipedia.org/wiki/Timing_attack

like image 21
icedtoast Avatar answered Oct 23 '22 22:10

icedtoast
Sign in to Comment

Related questions

How can I use MSBuild to update version information only when an assembly has changed?
How do I modify the timeout of an aspx page?
Implementing an editable DropDownList in ASP.NET
What are the most common, typical things to AVOID coding into my ASP.NET app in order for it to run under Medium Trust on a shared host?
How to minimize a ASP.NET C# project DLL size?
Determine who/what reserved 5.5 GB of virtual memory in w3wp.exe
ASP.NET: Permission/authentication architecture
Are AppDomains are created for every request?
Retrieve single Entity Framework entities using a LINQ query or GetObjectKey?
Bind DropDownlists with JQuery in Asp.Net
Role Caching Strategies in ASP.NET MVC
asp.net file downloading - track downloaded size
Get host name without using HttpRequest
Singleton and HttpApplicationState
How do you do a 301 permanant redirect route in ASP.Net MVC
CSRF Protection in AJAX Requests using MVC2
What would be the best way to store the questions and responses for a survey where I need to keep the traffic on the database to a minimum?
Clean way to output values in ASP.NET MVC Views when value is not null
What can asp.net *WebForms* developers expect in future?
In what situation Application_EndRequest is called but Application_BeginRequest is not called?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!