I decided to write an HttpModule-based solution to the padding oracle exploit. The project is up at sws.codeplex.com and licensed under Apache 2. I don't have any official releases out there yet because I could use some help testing it and/or coding it.
I haven't seen the exploit tools so I haven't been able to verify it's effectiveness yet.
Right now, it's got 2 main features relating to the padding oracle expoit:
It stores FormsAuthenticationCookie and FormsAuthenticationTicket information on the server at the time the ticket is issued. It uses this information to strengthen ticket validation... a LOT. Even if your machine keys are compromised, nobody can create
a FormsAuthenticationCookie that will pass validation.
It detects & prevents certain known padding oracle attack vectors (CryptographicException's on .axd requests) -- returns 200 codes where 404's or 500's are expected & introduces delays to the response.
The stateful forms authentication feature opens up a lot of possibilities down the road. At this point, you can 'kick' users and see who is online fairly accurately. The ability to ban users and IP addresses is not too far down the road. I might also
build some intrusion prevention features in (automatically ban troublemakers for xx minutes). It will also be possible to enforce policies about FormsAuthenticationTickets per user and IP address. You could have a policy that says you can only be logged
in from 1 IP+browser at a time. You could either deny the login request or revoke other tickets. This would let you prevent a user from logging in from 2 different computers, from sharing their credentials, or from using 2 different browsers on the same
machine. It could also be useful to warn users that their account is in use elsewhere.
sholodak
Member
34 Points
15 Posts
Sholo.Web.Security.EnhancedSecurityModule
Sep 24, 2010 08:42 PM|LINK
Hi,
I decided to write an HttpModule-based solution to the padding oracle exploit. The project is up at sws.codeplex.com and licensed under Apache 2. I don't have any official releases out there yet because I could use some help testing it and/or coding it. I haven't seen the exploit tools so I haven't been able to verify it's effectiveness yet.
Right now, it's got 2 main features relating to the padding oracle expoit:
The stateful forms authentication feature opens up a lot of possibilities down the road. At this point, you can 'kick' users and see who is online fairly accurately. The ability to ban users and IP addresses is not too far down the road. I might also build some intrusion prevention features in (automatically ban troublemakers for xx minutes). It will also be possible to enforce policies about FormsAuthenticationTickets per user and IP address. You could have a policy that says you can only be logged in from 1 IP+browser at a time. You could either deny the login request or revoke other tickets. This would let you prevent a user from logging in from 2 different computers, from sharing their credentials, or from using 2 different browsers on the same machine. It could also be useful to warn users that their account is in use elsewhere.
Take a look:
-Scott
www.sholo.net