Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Sep 24, 2010 08:42 PM by sholodak
Sep 24, 2010 08:42 PM|LINK
I decided to write an HttpModule-based solution to the padding oracle exploit. The project is up at sws.codeplex.com and licensed under Apache 2. I don't have any official releases out there yet because I could use some help testing it and/or coding it.
I haven't seen the exploit tools so I haven't been able to verify it's effectiveness yet.
Right now, it's got 2 main features relating to the padding oracle expoit:
The stateful forms authentication feature opens up a lot of possibilities down the road. At this point, you can 'kick' users and see who is online fairly accurately. The ability to ban users and IP addresses is not too far down the road. I might also
build some intrusion prevention features in (automatically ban troublemakers for xx minutes). It will also be possible to enforce policies about FormsAuthenticationTickets per user and IP address. You could have a policy that says you can only be logged
in from 1 IP+browser at a time. You could either deny the login request or revoke other tickets. This would let you prevent a user from logging in from 2 different computers, from sharing their credentials, or from using 2 different browsers on the same
machine. It could also be useful to warn users that their account is in use elsewhere.
Take a look: