I’m doing research to better understand the padding oracle attack that was recently disclosed to affect ASP.NET and thought to provide a quick list of links that I’ve found most helpful:
- Microsoft SharePoint Team Blog: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint
- Automated Padding Oracle Attacks with PadBuster
- How to check if your application is vulnerable to the ASP.NET Padding Oracle Vulnerability
- Duncan Smart’s post on ASP.NET detailing how to check if your application masks the oracle
- Duncan Smart’s blog entry on the matter (with link to a wsh script to use for testing)
- ASP.NET forum post dealing with classic ASP. Guess what - your ASP site may be vulnerable if you haven’t disabled some ASP.NET features
The ASP Classic is the most unexpected bit to me, but makes perfect sense.
Update: Patch your servers, as the padding oracle is no longer needed. Thanks Matt!