ASP.NET Notes

From Rory.wiki

Contents 1 Event Validation 2 Forms Authentication Logouts and Cookie Replay 3 Padding Oracle 4 Links & Resources

Event Validation

ASP.NET can have event validation enabled which protects against some forms of input validation attacks.

http://blog.maartenballiauw.be/post/2007/04/asp-net-2-0-event-validation.aspx

http://idunno.org/archive/2009/01/26/when-is-a-postback-not-a-postback.aspx

Some Event Validation Weaknesses

http://odetocode.com/Blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument.aspx

http://odetocode.com/Blogs/scott/archive/2006/03/22/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx

http://haacked.com/archive/2009/04/02/csrf-webforms.aspx

http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx

Forms Authentication Logouts and Cookie Replay

there's a weakness with ASP.NET Forms authentication and the signout method where it doesn't clear the server-side session store

http://stackoverflow.com/questions/2117930/preventing-cookie-replay-attacks-in-asp-net-mvc

http://support.microsoft.com/kb/900111

Padding Oracle

Some links and information about the padding oracle attack that focused on ASP.NET session tokens and webresource files in 2010.

from here some ways to tell if the patch has been applied. One tell-tale sign can be that the d parameter passed to webresource.axd will be longer than before as it includes a MAC now.

Excellent description of the issue

Usage notes on padbuster

Links & Resources

http://www.dotnetguy.co.uk/post/2009/05/03/aspnet-e28093-security-10-helpful-pointers.aspx