Last post Sep 20, 2010 04:27 PM by owjeff
Sep 20, 2010 12:38 PM|kwalkerk|LINK
We have several applications configured with a web.config as follows:
<customErrors mode="Off" />
<forms name="TokenName" loginUrl="logon.aspx" protection="All" path="/" timeout="15" slidingExpiration="true" />
Since an unsuccessful login will bring people back to this page - am I still vulnerable to someone who has not authenticated? It seems I would be vulnerable to someone who has successfully logged in, but that creates a much lesser concern on my part.
Sep 20, 2010 12:47 PM|redneal|LINK
Unfortunately, a request of the following type:
will be serviced and produce an error without needing a login/authentication first. So, even having forms authentication set to protect all resources within the website is not sufficient.
Sep 20, 2010 12:53 PM|DeviantSeev|LINK
I tried using the POET tool on site which we have configured similarly to yours. The poet tool failed at identifying the oracle. However; I would still like someone from Microsoft to verify that forms authentication prevents this attack.
Link to the video of how to use the POET tool:
Link to the POET tool: http://netifera.com/research/
Sep 20, 2010 01:00 PM|owjeff|LINK
The POET tool on the netifera.com site is tailored to the JavaServer Faces platform, not ASP.NET. That does not mean your site is not vulnerable to the attack. Forms authentication does not make you invulnerable to the attack.
Sep 20, 2010 01:36 PM|kwalkerk|LINK
Thanks for the quick reply. Was hoping to get of some work - oh well it is Monday.
Sep 20, 2010 04:21 PM|DeviantSeev|LINK
Is the poet.py file that is used in that video available somewhere?
Sep 20, 2010 04:27 PM|owjeff|LINK
Not that I have found (which is a good thing).