ASP.Net Crypto Attack

Well, unless you’ve been living under a rock for the last week you are probably now aware of the Crypto attack that is in the wild and targets ASP.Net applications. This attack is raising many of the same issues that we see regularly in the industry with SQL Injection Attacks.

Wait, what?? Yes, this is another of those situations where Developers and Administrators have been lazy. Yes, it is a Vulnerability and it needs to be fixed, but it’s also become a massive issue because a large number of ASP.Net applications don’t handle errors correctly.

The recommended workaround (from the MS Security Advisory) is to simply enable customErrors and redirect to a generic error page. Simple fact is that EVERY ASP.Net app out there should be doing this already. This is one of the many steps to mitigating against attacks on websites including SQL Injection attacks. Returning any information to potentially malicious users is bad.

So, let me quickly run through the bare essentials.

If your using .Net 3.0 or earlier, add this to your config file:

<configuration>
 <location allowOverride="false">
   <system.web>
     <customErrors mode="On" 
        defaultRedirect="~/error.html" />
   </system.web>
 </location>
</configuration>

For .Net 3.5 and above

<configuration>
 <location allowOverride="false">
   <system.web>
     <customErrors mode="On" 
        redirectMode="ResponseRewrite" 
        defaultRedirect="~/ErrorPage.aspx" />
   </system.web>
 </location>
</configuration>

There is an additional step that you should take to this. In your error page, add in a random sleep to the Page_Load event. Why?? The short and easy answer is that some attacks use timing information to derive information. Adding in a random sleep (generate the random number through the crypto engine) helps to remove another potential vector for gathering information.

Please, don’t be lazy, make sure your Web Apps are secure.