View Complete Post
I need to put in a transaction. I have the following code:
Is there any way to add a transaction in the middle tier for this and if so how?
And if not and I have to move everything to my DAL how will I run the transaction using the OracleHelper class?
Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample.
MSDN Magazine November 2003
I've done some digging and come up with what I think is useful information for you if you have a custom error handling solution in place instead of or as well as the usual ASP.NET <customErrors> stuff.
From comments on ScottGu's post it seem to be that the main suspect to be the actual padding oracle is WebResource.axd (possibly other axd's).
It's this differentiation: is the padding correct (404) or not (500) that is at the root of the exploit: the padding oracle.
If your error handling returns exactly the same response for both - it masks the oracle. To test if you're vulnerable externally, a simple test is to request both: