Options

AES Vulnerability in ASP.NET

RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
in Off-Topic
[security through absurdity]: Vulnerability In .NET AES Implementation Puts ASP.NET Web Sites at Risk

icon_lol.gif If you don't laugh, you'll have to cry, right?
· Share on FacebookShare on Twitter

Comments

  • Options
    earweedearweed Member Posts: 5,192 ■■■■■■■■■□
    Sounds like something MS should be putting a fix on ASAP.
    No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives.
    · Share on FacebookShare on Twitter
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Yea, here's the same technique being demoed with Apache MyFaces: YouTube - Padding Oracle Exploit Tool vs Apache MyFaces

    This is the research page: netifera research

    That gives you the key, but you also need to do man-in-the-middle, which can prove to be difficult, especially if SSL is being used. If you've already gotten to the point where you've got an SSL proxy going, why not just capture credentials and skip messing around with encrypted session information? I'm on the fence what the genuine impact of this will be. It's very interesting though icon_cool.gif
    · Share on FacebookShare on Twitter
Sign In or Register to comment.