If you are developing, testing, or supporting web applications, you probably encounter situations when you need to record or modify HTTP traffic. Quite often, the browser request viewer might be enough, but what if you need to modify the traffic on the fly? Another challenging task is testing how your application behaves when put behind a load balancer or an edge server. There are many great HTTP proxies available in the market, including mitmproxy, Burp Suite, or Fiddler and they may be perfect in diagnosing/testing your applications. In this post, however, I am encouraging you to write small tools for your specific needs. There are many reasons why you may want to do so, such as the need for complex requests modifications, better control over the request processing, or customizations of the certificate creation. Of course, implementing the HTTP protocol could be demanding so, don’t worry; we won’t do that 🙂 Instead, we will use the open-source Titanium Web Proxy. The code samples in this post are meant to be run in LINQPad, which is my favorite tool for writing and running .NET code snippets, but you should have no difficulties in porting the samples to a C# script or a console application.
Continue readingasp.net
Performing Padding Oracle Attack from PowerShell
In the previous post we created a sample ASP.NET application, which performs encryption in an old, unsecured way (without signature). Its source code is available in my blog samples repository. To run the application execute the runiis.bat file – you must have IIS Express installed on your machine. If everything starts correctly you should see in your browser this beautiful page:
Case of Unresolvable IPv4 Addresses in IIS
One of my colleagues at work was struggling with a peculiar problem on his machine. Whenever he tried to access the address of his test project: http://my.project:8080 he was getting connection refused error (my.project points to 127.0.0.1 in the hosts file). The same error appeared when we opened the http://127.0.0.1:8080 address:
Forcing ASP.NET to encrypt like five years ago
While preparing slides and demos for the upcoming BSides Warsaw conference, I spent some time digging through the code of the old ASP.NET Crypto stack. In case you do not remember, six years ago researchers reported multiple cryptographic design flaws in ASP.NET. One of the critical issues was that ASP.NET did not authenticate ciphertexts. Thus they were vulnerable to the padding oracle attack. Microsoft learned its lesson and rewrote the crypto stack in ASP.NET 4.5. If you want to find out more, have a look at those three excellent articles by Levi Broderick: Part 1, Part 2, Part 3. As I plan to demo the padding oracle attack during my presentation I wanted to restore the old behavior using the latest version of the ASP.NET framework. In this post, I am presenting how I achieved that. But to watch the live demo, I invite you to come to my presentation at 10:00, Saturday, October 14th :).
Decrypting ASP.NET 4.5
The title mentions ASP.NET 4.5.x, but the encryption algorithm is exactly the same in ASP.NET 4.6.x. It won’t work however in earlier versions of ASP.NET.
Some time ago I published a post entitled “Decrypting ASP.NET identity cookies”. In that post we wrote a Python script to decrypt ASP.NET Identity cookies. You could have also learnt how the derived keys, used to encrypt those cookies, are calculated. If you are interested in details, please have a look at that article. But to summarize, the following steps are performed by ASP.NET:
- Extract the encryption and the validation key from the web.config file
- Calculate the derived keys using the SP800-108 specification, with the context and the label taken from an adequate Purpose class instance
- Validate and decrypt the cipher
The above procedure applies not only to the cookies decryption, but also to many other cryptographic operations, such as ViewState encryption, Forms Authentication, Anti-Forgery tokens creation etc. However, there is still a missing gap in the presented flow. What if the encryption and the validation keys are not explicitly set in the web.config file? Today, we will answer this question.
Debug notes 