Cookies from ASP.NET servers can be cracked
The method used by ASP.NET applications to encrypt cookies and other session data can be cracked, as security specialists Juliano Rizzo and Thai Duong will be explaining at the upcoming Ekoparty security conference. Reportedly their exploit procedures allow access to private data.
The cause of the problem has to do with how the ASP.NET framework encrypts data. Generally, AES is used in the Cipher Block Chaining (CBC) mode, which is vulnerable to Padding Oracle attacks, in which sniffed data are encrypted without the key. In June, Rizzo and Duong presented their "Padding Oracle Exploitation Tool" (Poet), which exploits such vulnerabilities in the widely used "JavaServer Faces" (JSF) framework.
Rizzo and Duong estimate that 25% of all Web applications are based on ASP.NET, which means the problem should not be taken lightly. In their presentation, they plan to demonstrate how specially crafted authentication tickets can be used to get administrative access to a server.