Understanding Accunetix Results

Discuss the many weaknesses of browser security and ways to mitigate the threat

Understanding Accunetix Results

Post by zerolimit on Fri Aug 23, 2013 4:33 am
([msg=76988]see Understanding Accunetix Results[/msg])

When I tried using Accunetix to scan my website, I got a high level warning:

Code: Select all
ASP.NET Padding Oracle Vulnerability
Vulnerability description
ASP.Net uses encryption to hide sensitive data and protect it from tampering by the client. However, a vulnerability in the ASP.Net encryption implementation can allow an attacker to decrypt and tamper with this data. This vulnerability exists in all versions of ASP.NET.

This vulnerability affects /.

Discovered by: Scripting (ASP_NET_Oracle_Padding.script).

Attack details
Acunetix detected this vulnerability by comparing the HTTP response status and body for two different requests (one request when the padding is incorrect and another one where the encrypted text is not valid). If the body AND/OR status are different, this vulnerability can be exploited.

The impact of this vulnerability
An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server.

[b]HTML RESPONSE:[/b]
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly.

Requested URL: /WebResource.axd

1. While it's not a good practice, I don't think someone can view my data from this error only. What do you think? Is this false positive results?
2. I also want to know if Accunetix scan my web server vulnerabilites. If not, can you recommend a good one? I'm using windows server 2003, and trying to convince my boss to upgrade it, but he wants to know if I can hack it first before he give me money to upgrade it.
zerolimit
New User
New User
 
Posts: 3
Joined: Wed Jul 17, 2013 2:53 am
Blog: View Blog (0)


Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests

cron