SOURCE: Art of Defence

art of defence

September 16, 2010 11:27 ET

ASP.NET Vulnerability Issue Mitigated With art of defence's hyperguard

SAN FRANCISCO, CA--(Marketwire - September 16, 2010) -  

What: Two researchers have identified an attack vector aimed at web applications built on Microsoft's widely-used ASP.NET framework. The attack, which targets nearly 25% of all web apps, exploits the way ASP.NET web applications handle encrypted session cookies. The researchers plan to demonstrate this attack on Friday, September 17 at the Ekoparty Security Conference, and reveal the potential to expose passwords, bank information, social security numbers and all else encrypted using the framework's API. 
   
How: The attack uses a Padding Oracle Exploitation Tool (POET) to hijack ASP.NET sessions by padding the encrypted data on ASP.NET's session cookies. This triggers an error message that provides enough information on the way ASP.NET decrypts messages to make it possible to decrypt all the data. The Open Web Application Security Project (OWASP) has ranked broken authentication and session management among the top three vulnerabilities in its famed top ten security threats for 2010. The destructive POET attack can be fixed by:  
   
  • Iterative positive security rules,
  • Using session-specific encrypted URLs to minimize attack surface, and,
  • Secure session management to generate a random -- and secure -- identification in exchange for the valuable data stored on the cookie.
   
  art of defence's hyperguard, distributed web application firewall (dWAF) technology, can protect against this attack. hyperguard's cookies cannot be manipulated by this attack because the cookies are stored in the architecture's Secure Cookie Jar. hyperguard transparently exchanges these cookies with its own WAF-generated cookies, which do not contain any application content. 
   
Who: Georg Hess, CEO and founder, and Alexander Meisel, CTO of application security provider art of defence, can explain why these vulnerabilities exist, the severity of the attacks -- and how to fix them. Their expertise stems from art of defence's hyperguard, dWAF technology, which can identify the POET attack with positive security rules, as well as directly prevent the attack with secure session management and encrypted URLs.  
   
When: Georg Hess and Alexander Meisel are available immediately for media interviews. For scheduling, contact Aarti Shah @ artofdefence@marchpr.com.

Resource Links:

art of defence home page
http://www.artofdefence.com/index.php

hyperguard dWAF data sheet
http://www.artofdefence.com/dokumente/hyperguard_en.pdf

Bio for art of defence's co-founder/CTO Alexander Meisel
http://www.cloudbook.net/alex-meisel

Ekoparty session demonstrating attack
http://www.ekoparty.org/eng/thai-duong-2010.php
http://www.ekoparty.org/eng/juliano-rizzo-2010.php

OWASP Top 10 List
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

About art of defence
Founded in 2005, art of defence established its San Francisco-based North American headquarters in 2009. Focused exclusively on providing comprehensive web application security technology on any scale, art of defence's distributed web application firewall (dWAF) technology, hyperguard™, is the industry's first WAF SaaS offering. Available in many forms, hyperguard is the most flexible solution on the market today. Customers have access to the solution as a software plug-in, virtual appliance, hardware appliance or as a standalone software solution.

The company serves the financial services, eCommerce, technology, telecommunication and public sector markets exclusively through OEM/technology and reseller channel partners. art of defence partners with leading technology providers like Amazon Web Services, Armorize, GeNUA, GoGrid, Microsoft and Zeus. Regensburg, Germany, remains the global headquarters for the European and Asian markets in addition to North America.

For more information about art of defence, visit: www.artofdefence.com/en

Contact Information

Webosphere

Keyword Cloud

View Website