Last post Sep 24, 2010 11:04 AM by Duncan Smart
Sep 22, 2010 04:34 AM|Duncan Smart|LINK
I've created a simple (simplistic?) script that will go some of the way in helping you diagnose if your sites have an
obvious padding oracle vulnerability. The difference between this script and the one mentioned by ScottGu is that this one actually does a simple test of your site from the outside to see if the mitigations you have put in place are likely to
have helped you. For example you may have put an
iRule on your F5 BigIP - this will help you test if that has been effective
At the moment it just tests webresource.axd to see if it show obvious symptoms of being a padding oracle. I'll likely update it to add more tests and would welcome comments and contributions.
Hope it helps!
Sep 22, 2010 12:25 PM|softie1997|LINK
Thanks. Replying to get this out of the unanswered posts!
Sep 24, 2010 10:58 AM|Duncan Smart|LINK
UPDATE: added check that includes 'aspxerrorpath' error page bypass as mentioned in comments of Troy's blog: http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
Sep 24, 2010 11:04 AM|Duncan Smart|LINK
Enter site URL:
Testing site: http://www.microsoft.com/
MIGHT BE VULNERABLE: HTTP status mismatch
=== Response 1 ===
=== Response 2 ===
500 Internal Server Error