Finally they’ve delivered! Earlier today the much awaited padding oracle patch was released by Microsoft. As usual, Scott Guthrie has written about it and you can find all the info in ASP.NET Security Update Now Available.

It’s not a moment too soon either. According to Thai Duong, half of the duo responsible for bringing the vulnerability in ASP.NET to public awareness, the guidance Microsoft has provided over the last couple of weeks was, well, a waste of time. And here’s another video to prove it:

The last week hasn’t been particularly kind to ASP.NET, and that’s probably a more than generous way of putting it. Only a week ago now, Scott Guthrie wrote about an Important ASP.NET Security Vulnerability; the padding oracle exploit. I watched with interest as he was flooded with a barrage of questions (316 as of now) and realised that whilst he’d done his best to explain the mitigation, he obviously had constraints around explaining why it was necessary.

I wrote about Fear, uncertainty and the padding oracle exploit in ASP.NET the day after in an attempt to shed some light on why Scott’s recommendations made good sense, even if they seemed a bit odd on the surface of it. I talked about how the custom error process obfuscated the underlying error message and how this offered a heightened level of security and I touched very briefly on his guidance about response rewriting and random sleep periods.

Now I want to demonstrate why random sleep periods are important, why response rewriting is essential and finally, why older versions of the .NET framework leave you more at risk than the newer releases.

Sep 29th update: The patch and how to test for it in Do you trust your hosting provider and have they really installed the padding oracle patch?

You’ve gotta feel a bit sorry for Scott Guthrie. Microsoft’s developer division VP normally spends his time writing about all the great new work his team is doing and basking in the kudos of loyal followers. But not this weekend. Unfortunately his latest post has been all about repeating the same dire message; ASP.NET has a major security flaw posing a critical vulnerability to millions of websites. Actually that’s putting it nicely; much of the feedback on the web is a little blunter talking about the vulnerability totally destroying ASP.NET security. Ouch.

Actually, it’s not so much the fact he had to write the post that makes me feel sorry for him, it’s that he has to continually respond to the same questions from (understandably) fearful, worried customers. It’s not surprising, the vulnerability is a little abstract to understand and the potential ramifications are rather scary. Furthermore, the mitigations he has recommended – namely around errors handling – probably seem a little obscure.

This is an issue which is quite possibly going to consume a bit of my time in the coming weeks so I thought I’d start out right now by explaining what the vulnerability is, what remediation is required and most importantly, actually show how they mitigate the problem. It’s this last point that I don’t think Scott quite captured and I suspect that’s why there is so much uncertainty now.

Sep 25th Update: I’ve also written about Why sleep is good for your app’s padding oracle
Sep 29th update: The patch and how to test for it in Do you trust your hosting provider and have they really installed the padding oracle patch?

I got a little stumped this week and turned to the fountain of software knowledge, also known as Stack Overflow, with a question about Missing popout class in ASP.NET menu for nodes without a URL. The problem is simply this; let’s take the following Web.sitemap file:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0">
  <siteMapNode url="" title=""  description="">
    <siteMapNode title="Top 1" url="~/Top1.aspx">
      <siteMapNode title="Sub 1" url="~/Sub1.aspx" />
    </siteMapNode>
    <siteMapNode title="Top 2">
      <siteMapNode title="Sub 2" url="~/Sub2.aspx" />
    </siteMapNode>
  </siteMapNode>
</siteMap>

Now for an absolute bare bones implementation of a sitemap data source and menu control:

<asp:Menu runat="server" DataSourceID="menuDs" Orientation="Horizontal" />
<asp:SiteMapDataSource ID="menuDs" runat="server" ShowStartingNode="false" />

So here’s the question: will the sitemap node titled “Top 2” display a pop out icon to indicate there’s content beneath it or not? Note that it doesn’t have a URL defined.

The answer depends on the version of .NET the code runs against or more specifically, what version the control rendering runs against. Here’s how it looks when running against .NET3.5 or against .NET4 with the controlRenderingCompatibilityVersion attribute set to 3.5:

This entire series is now available as a Pluralsight course.

And also as a free eBook.

Consider for a moment the sheer volume of information that sits out there on the web and is accessible by literally anyone. No authentication required, no subversive techniques need be employed, these days just a simple Google search can turn up all sorts of things. And yes, that includes content which hasn’t been promoted and even content which sits behind a publicly facing IP address without a user-friendly domain name.

Interested in confidential government documents? Here you go. How about viewing the streams from personal webcams? This one’s easy. I’ll hasten a guess that in many of these scenarios, people relied on the good old security through obscurity mantra. If I don’t tell anyone it’s there, nobody will find it, right?

Wrong, very wrong and unfortunately this mentality persists well beyond just document storage and web cams, it’s prevalent in application design. Developers often implement solutions with the full expectation it will only ever be accessed in the intended context, unaware (or unconcerned) that just a little bit of exploration and experimenting can open some fairly major holes in their app.