ApplicationHost.config File Location

Posted by: Gabe Hilado in IIS on May 26th, 2011

In case you are wondering where the ApplicationHost.config is located, perhaps because you have to make some modifications to it, you can find the file at:

C:\Windows\System32\inetsrv\config

Backup the file before you make modifications!!!

ASP.NET Vulnerability Workaround – Homogenize the App’s Response Codes

Posted by: Gabe Hilado in ASP.NET,IIS,Security on September 22nd, 2010

Yesterday, I blogged about the newest ASP.NET Vulnerability. As of this writing, there is still no patch for the ASP.NET Security Advisory 2416728. If the detection tool as part of the workaround provided by Microsoft reports that your apps are okay, then you don’t have nothing to worry about—just wait for the security update (what else can you do?).

Now, if the detection tool reports that your apps are vulnerable, and the apps are public-facing (on the Web), you will really want to consider the workaround.

The emphasis of the workaround is to “homogenize the error codes”. The exploit relies on error codes returned by the application to an attacker. The more differentiated the error codes, the more it learns about the encryption, and the better chance it has on cracking the encryption (read-up on “Padding Oracle Attack”).

I created a stripped-down test ASP.NET Web application project that initially has customErrors=”Off”. Within the project, I created pages that will deliberately throw errors. I have a “Divide by Zero” page, a “Throw Error” page, a “View State Exception” page, and a link from the default page to a non-existent page. I used Fiddler to monitor the traffic to and from the app while customErrors=”Off”. Next, I apply Scott Guthrie’s ASP.NET workaround for this vulnerability. I set customErrors=”On” and initially, I use redirectMode=”ResponseRedirect”. The HTTP 500 response codes disappeared but there are still HTTP 302 (redirect) responses. See the evolution of the response codes as I changed the customErrors section:

Fiddler Screenshot of Mixed Error-Codes

customErrors=”On” starts at line 13 in the screenshot above. No more HTTP 500 once customErrors was turned on. However, there are still HTTP 302, which may clue-in the attacker that an error occurred and hence the redirect to a generic page.

So we change the customErrors element once more time. I set redirectMode=”ResponseRewrite”:

   

<customErrors mode="On" defaultRedirect="fatwhale.htm" redirectMode="ResponseRewrite" />

(By the way, in case you’re wondering what the “fatwhale.htm” page is, it is in reference to the twitter whale whenever twitter service gets overloaded.)

After setting redirectMode=”ResponseRewrite”, the traffic captured by Fiddler shows that everything is consistently HTTP 200, even though we know that run-time errors were occurring on the individual pages:

Fiddler Screenshot - All HTTP 200 Response

Scott responded to some of the comments in his blog post and he strongly encouraged people to homogenize the response/error codes. The Fiddler screenshots I showed above is what I think Scott Gu means by “homogenizing the codes”.

Recent Posts

Categories

Tags

Administrators ASP.NET Backup Business Cloud CMS Collaboration Content Management Systems Data Database Data Validation Deployment Developers Enterprise Forms IIS IIS 7 iPhone Apps JavaScript jQuery Migration Mobile MOSS 2007 Open-Source Restore Search Security SharePoint SharePoint 2010 SharePoint Designer SharePoint Installation SQL Server STSADM System Integration Technology Upgrade User Groups Virtualization Visual Studio Washington DC Web Parts Windows 7 WSP WSS 2.0 WSS 3.0

Archives

Blogroll

Bookmark and Share