diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)


ASP.Net Web Apps Face Risk of ‘Padding Oracle’ Crypto Attack

Web apps built on ASP.Net may face a new wave of crypto attacks, putting sensitive data as — well as Microsoft’s already tarnished reputation for insecurity — at risk. The so-called “padding oracle” attack affects every ASP.Net Web application, according to security researcher Juliano Rizzo, enabling an attacker to decrypt cookies’ view states, passwords, user data (such as Social Security numbers), and anything else encrypted using framework’s API. Beyond getting their hands on sensitive data, malicious hackers could use the exploit to forge authentication tickets and access applications with admin rights.

The attack takes advantage of ASP.Net’s buggy implementation of AES (Advanced Encryption Standard).

Notably, ASP.Net isn’t the only platform that can affected by these padding oracle attacks, which’ve been around since 2002. Rizzo and fellow researcher Thai Duong, the developers of the attacks, previously demonstrated weaknesses in JavaServer Faces, Ruby on Rails, and OWASP ESAPI. The fact it exploits ASP.Net platform, however, will likely boost awareness of the problem — the Redmond giant is likely to bear the brunt of the criticism.

Share This Story, Choose Your Platform!

Get Latest News

Subscribe to Digital News Hub

Get our daily newsletter about the latest news in the industry.
First Name
Last Name
Email address
Secure and Spam free...