Web apps built on ASP.Net may face a new wave of crypto attacks, putting sensitive data as -- well as Microsoft's already tarnished reputation for insecurity -- at risk.
The so-called padding oracle attack affects every ASP.Net Web application, according to security researcher Juliano Rizzo, enabling an attacker to decrypt cookies' view states, passwords, user data (such as Social Security numbers), and anything else encrypted using the framework's API. Beyond getting their hands on sensitive data, malicious hackers could use the exploit to forge authentication tickets and access applications with admin rights.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
The attack takes advantage of ASP.Net's buggy implementation of AES (Advanced Encryption Standard), according to Threat Post's Dennis Fisher, specifically the way it deals with errors when a cookie's encrypted data has been modified.
"If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application's decryption process works," writes Fisher. "More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it's actually possible."
Notably, ASP.Net isn't the only platform that can affected by these padding oracle attacks, which have been around since 2002. Rizzo and fellow researcher Thai Duong, the developers of the attacks, previously demonstrated weaknesses in JavaServer Faces, Ruby on Rails, and OWASP ESAPI. The fact that it exploits Microsoft's popular ASP.Net platform, however, will likely boost awareness of the problem -- the Redmond giant is likely to bear the brunt of the criticism.