Welcome! Log In


NOTE: READ THIS

http://securitythroughabsurdity.com/2010/09/aspnet-and-padding-oracle-attack-wrap.html

"Initially, based on the news that was released it sounded like an issue with AES since they never mentioned 3DES. It turns out that this was false and that this attack works against ANY BLOCK CIPHER meaning 3DES was also vulnerable. I suspected it was premature to suggest this as a valid mitigation technique at the time and said so, and it turns out I was correct at least about that part."




Vulnerability In .NET AES Implementation Puts ASP.NET Web Sites at Risk

==> http://securitythroughabsurdity.com/2010/09/vulnerability-in-net-aes-implementation.html

Changer tout simplement AES par 3DES ^^ Dans le web.config ou directement via la console de IIS sur le serveur ou site par site.

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES" />


http://msdn.microsoft.com/fr-fr/magazine/ff797918.aspx < article sur la sécurité des VIEWSTATE

"Effectively managing user state in Web applications can be a tricky balancing act of performance, scalability, maintainability and security. The security consideration is especially evident when you’re managing user state stored on the client. I have a colleague who used to say that handing state data to a client is like handing an ice cream cone to a 5-year-old: you may get it back, but you definitely can’t expect to get it back in the same shape it was when you gave it out!

In this month’s column, we’ll examine some security implications around client-side state management in ASP.NET applications; specifically, we’re going to look at view state security. (Please note: this article assumes that you’re familiar with the concept of ASP.NET view state. If not, check out “Understanding ASP.NET View State” by Scott Mitchell).

If you don’t think there’s any data stored in your applications’ view state worth protecting, think again. Sensitive information can find its way into view state without you even realizing it. And even if you’re vigilant about preventing sensitive information loss through view state, an attacker can still tamper with that view state and cause even bigger problems for you and your users. Luckily, ASP.NET has some built-in defenses against these attacks. Let’s take a look at how these defenses can be used correctly. "



Edited 1 time(s). Last edit at 09/21/2010 03:49PM by iznogoud.
Sorry, only registered users may post in this forum.

Click here to login