Web Application – .Net security

I was just listening to the Security Now Podcast and Steve Gibson was talking about a new .Net Vulnerability.

By way of background, I do classic ASP development and am moving to .net via SharePoint. As such I am aware of SQL injection and Cross Site Scripting issues with web based applications. I recommend people in this line, especially with public facing apps,  read up on the new vulnerability.

Podcast Show Notes: http://wiki.twit.tv/wiki/Security_Now_267

A brief  quote from Steve Gibson in summary:

  • “ASP.NET’s server-side cryptography can be probed by sending ciphertext back to the server and examining differences in the returned error code to learn what the server thought about what was sent.
  • By sending many such requests, the system’s crypto can be cracked to expose usernames, passwords and other data protected by the server.
  • The temporary workaround is to force EVERY error message to be the same so that the attacker cannot learn anything from probing the system.”

An overview here at CNet: http://news.cnet.com/8301-27080_3-20017042-245.html and more detail at Microsofts blog post here: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

From the Microsoft blog post: “For example, if the ASP.Net application stores sensitive information, such as passwords or database connection strings, in the ViewState object this data could be compromised”

The moral here is you can’t take your eye off security issues, even if it is not your main area.

I am about to review an older site doing maintenance issues and will be reviewing security issues as well. One resource I’ll be using to bring myself up to date is The OWASP Top ten:

http://www.owasp.org/index.php/OWASP_Top_Ten_Project

Steven