I've created a simple (simplistic?) script that will go some of the way in helping you diagnose if your sites have an
obvious padding oracle vulnerability. The difference between this script and the one mentioned by ScottGu is that this one actually does a simple test of your site from the outside to see if the mitigations you have put in place are likely to
have helped you. For example you may have put an
iRule on your F5 BigIP - this will help you test if that has been effective
At the moment it just tests webresource.axd to see if it show obvious symptoms of being a padding oracle. I'll likely update it to add more tests and would welcome comments and contributions.
Enter site URL:
http://www.microsoft.com
Testing site: http://www.microsoft.com/
MIGHT BE VULNERABLE: HTTP status mismatch
=== Response 1 ===
200 OK
=== Response 2 ===
500 Internal Server Error
Duncan Smart
Member
40 Points
14 Posts
Padding oracle detection script
Sep 22, 2010 08:34 AM|LINK
I've created a simple (simplistic?) script that will go some of the way in helping you diagnose if your sites have an obvious padding oracle vulnerability. The difference between this script and the one mentioned by ScottGu is that this one actually does a simple test of your site from the outside to see if the mitigations you have put in place are likely to have helped you. For example you may have put an iRule on your F5 BigIP - this will help you test if that has been effective
At the moment it just tests webresource.axd to see if it show obvious symptoms of being a padding oracle. I'll likely update it to add more tests and would welcome comments and contributions.
http://blog.dotsmart.net/2010/09/22/asp-net-padding-oracle-detector/
Hope it helps!
Blog.dotsmart.net
softie1997
Member
196 Points
52 Posts
Re: Padding oracle detection script
Sep 22, 2010 04:25 PM|LINK
Thanks. Replying to get this out of the unanswered posts!
Please remember to mark the answer!
Duncan Smart
Member
40 Points
14 Posts
Re: Padding oracle detection script
Sep 24, 2010 02:58 PM|LINK
UPDATE: added check that includes 'aspxerrorpath' error page bypass as mentioned in comments of Troy's blog: http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
Blog.dotsmart.net
Duncan Smart
Member
40 Points
14 Posts
Re: Padding oracle detection script
Sep 24, 2010 03:04 PM|LINK
Oh dear:
Enter site URL: http://www.microsoft.com Testing site: http://www.microsoft.com/ MIGHT BE VULNERABLE: HTTP status mismatch === Response 1 === 200 OK === Response 2 === 500 Internal Server ErrorBlog.dotsmart.net