.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Need help implementing the workaround for the oracle padding exploit

Posted By:      Posted Date: September 24, 2010    Points: 0   Category :ASP.Net

Moved from the MVC forum to the dedicated one about the vulnerability one by moderator XIII to keep people and the ASP.NET team at Microsoft focussed on one reporting area:

I'm trying to implement the workaround for the oracle padding exploit described on ScottGu's blog.  Here's the workaround:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/Home/ErrorPage" />

When I add that to my web.config, I'm not redirected to the error page when I try a bogus URL.  I get the regular 404 error page.  That's not what I expected.  When I visit http://www.example.com/Home/ErrorPage, I can see it just fine.

I can't use the script on Scott's page to test my server since I deploy to Az

View Complete Post

More Related Resource Links

Alleged Padding Oracle vulnerability in ASP.NET

Can anybody direct me to an official response from Microsoft to the recently identified, and highly exaggerated and sensationalised, Padding Oracle / AES cookie encryption vulnerability which allegecly affects various platforms including Java, Ruby on Rails, and ASP.NET? http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310 As far as I can tell, this issue is not as serious on any of the affected platforms as the regurgitated suggestions in the hyped articles seem to imply. Data is only compromised if developers are careless enough to . And despite all the headlines mentioning banking and singling-out ASP.NET, websites where security is that important should all be using HTTPS. One highly sensationalised headline and article about this, which only mentioned ASP.NET, has been picked-up and distributed and repeated prolifically. And sensationalist hype is a good way to get people to click on and share a link to your website. However, as fun and trendy as it may be to try and find reasons to criticise Microsoft technology, it is also dangerous and irresponsible when doing so overlooks or neglects to mention other platforms affected by the same type of vulnerability. Nevertheless, it's reassuring to know that potential issues in MS technology are quickly flagged and hard to miss, because they attract so much publicity.

HOWTO: Verify that custom error handling solutions do not expose padding oracle


I've done some digging and come up with what I think is useful information for you if you have a custom error handling solution in place instead of or as well as the usual ASP.NET <customErrors> stuff.

From comments on ScottGu's post it seem to be that the main suspect to be the actual padding oracle is WebResource.axd (possibly other axd's).

  • If you look in .NET Reflector at the IHttpHandler.ProcessRequest method in  System.Web.Handlers.AssemblyResourceLoader there's a call to Page.DecryptString early on.
  • This is the thing that will cause a HTTP 500 status to be returned if it fails, e.g. if the padding, etc in Request.QueryString["d"] is invalid
  • If the attacker manages to get the padding right, then it continues on, ultimately to call throw new HttpException(404...)

It's this differentiation: is the padding correct (404) or not (500) that is at the root of the exploit: the padding oracle.

If your error handling returns exactly the same response for both - it masks the oracle. To test if you're vulnerable externally, a simple test is to request both:

  • webresource.axd?d=foo
  • webre

Possible fix for oracle padding attack ASP.NET 4.0


I've implemented a possible fix for ASP.NET 4.0 by creating a custom crypto algorithm which uses AES + SHA256 hash.

This way it is not easily possible to create new valid requests. The hash function will sort out the majority of the requests as being invalid. Even if the attacker has the machine key, the attacker also needs the secret hash key to encrypt custom data. 

If someone is interested:


LINQ : Implementing IN and NOT IN

I got tried of typing

var result = from s in source
where items.Contains(s)
select s;and so I implemented the IN and NOT IN methods as extension methods:

Implementing Continuous Scrolling UI Pattern in ASP.NET

When you have numerous records to show, we have to resort to Paging. There is a better alternative to display voluminous data (especially read only data) while providing a better user experience & also making efficient use of server bandwidth - the Continuous Scrolling or Infinite Scrolling UI Pattern. Read on to know more about how to implement Continuous Scrolling UI Pattern in ASP.NET with a GridView.

FIPS compliance on web app; no workaround


We recently had FIPS Compliance enforced through Group Policy on our production servers.  In our development environment, we are setting the registry key to enforce FIPS, and we inserted the <machineKey> setting found elsewhere to use MD5 encryption in the ViewState.

However, the web application, which has been working for years, suddenly gets this error:


Server Error in '/' Application.

Parser Error

Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.

Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Source Error:

Line 1:  <%@ Application Codebehind="Global.asax.cs" Inherits="MyWebApplication.Global" %>

Source File: /global.asax    Line: 1

Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.40

Need Oracle Data Provider .CS File for Oracle 10g Database connection !



I need a 'Wrapper.cs' file which takes care of the Database connection ( Oracle 10g) where

i can just call the method with my SQL Query


Gridview1.DataSource = SampleWrapper.ExecuteDatatable("THE SQL QUERY");


Plz Post the link if there is any open source !    

Coroutines: Implementing Coroutines for .NET by Wrapping the Unmanaged Fiber API


Coroutines are a powerful feature of many programming languages including CLU, Scheme, Python, Ruby, and ICON. Coroutines can save processor overhead and reduce redundancy because they allow you to stop execution of a procedure midstream, return a value, and resume exactly where the procedure left off.This article shows how coroutines can be implemented for the .NET Framework by using the Fiber API and Managed Extensions for C++, and how they can be easily used with other .NET-compliant languages. This article also shows a sophisticated use of the runtime host for running multiple managed threads on a single OS thread.

Ajai Shankar

MSDN Magazine September 2003

C++ Q&A: Locking Column Headers, Implementing Singleton Classes


Prevent the sizing of the column headers in an ATL composite control. Also, see how you can share a small amount of simple data among multiple processes running on the same machine without Remoting.

Paul DiLascia

MSDN Magazine June 2003

Basic Instincts: Implementing Callbacks with a Multicast Delegate


This month's column is a follow-up to the December 2002 installment in which I introduced the basic concepts and programming techniques associated with delegates. I am going to assume you have already read that column and that you are familiar with the fundamentals of programming delegates.

Ted Pattison

MSDN Magazine January 2003

Basic Instincts: Implementing Callback Notifications Using Delegates


Delegates are a critical aspect of the Microsoft® . NET Framework and are required learning for many programmers. They will take some time to master, but once you learn how to program with delegates, you'll be thrilled with the possibilities they offer.

Ted Pattison

MSDN Magazine December 2002

C++ and STL: Take Advantage of STL Algorithms by Implementing a Custom Iterator


There are many benefits to using the Standard Template Library (STL) for C++ development, including the ability to use generic data structures and algorithms. To use the STL algorithms, an STL-conforming container is required. Iterating through the Internet Explorer cache is an informative exercise, but the cache is not an STL-conforming container. So, to use the STL algorithms to search and enumerate the Internet Explorer cache, an adapter is needed. Building such an adapter-an STL-conforming iterator-is the topic of this article. Also provided is an overview of the components of the STL and the Win32 Internet APIs used.

Samir Bajaj

MSDN Magazine April 2001

ASP.Net connect to Oracle.


 We have an application which uses  'System.Data.OracleClient'. On the box it was developed we can change the TNSNAMES.ORA entries to connect to different oracle databases. Moving the code to a  Microsoft Server 2008 box it would appear that the application ignores the TNSNAMES.ORA file. It has cached the first Oracle connection and will now work without any TNSNAMES.ORA file. Where is it getting the connection? We have set tns_admin to point at the TNSNAMES.ORA file. We can tnsping the connection OK.

implementing a search similar to what you have in google when you type in a word


Dear all;

I have a textbox and what I would like to implement is basically a situation similar to what you have in google when you type in a word. In otherwords,

in the textbox when you type in J, it should generate a list of names that starts with O in alphabetical order, then next when you type in o, so that now you have Jo, it should generate a list of names instead that now starts with Jo in alphabetical order, then again when you type in h, it should generate a list of names that starts with Joh and so on. A sample code could be helpful. Thank you. No Javascript of Jquery please. All help will be greatly appreciated.

ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend