Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Discussions
Off Topic
AES Vulnerability in ASP.NET
RobertKaucher
[security through absurdity]: Vulnerability In .NET AES Implementation Puts ASP.NET Web Sites at Risk
If you don't laugh, you'll have to cry, right?
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
earweed
Sounds like something MS should be putting a fix on ASAP.
dynamik
Yea, here's the same technique being demoed with Apache MyFaces:
YouTube - Padding Oracle Exploit Tool vs Apache MyFaces
This is the research page:
netifera research
That gives you the key, but you also need to do man-in-the-middle, which can prove to be difficult, especially if SSL is being used. If you've already gotten to the point where you've got an SSL proxy going, why not just capture credentials and skip messing around with encrypted session information? I'm on the fence what the genuine impact of this will be. It's very interesting though
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
