locked
Padding oracle detection script RRS feed

  • Question

  • User32459769 posted

    I've created a simple (simplistic?) script that will go some of the way in helping you diagnose if your sites have an obvious padding oracle vulnerability. The difference between this script and the one mentioned by ScottGu is that this one actually does a simple test of your site from the outside to see if the mitigations you have put in place are likely to have helped you. For example you may have put an iRule on your F5 BigIP - this will help you test if that has been effective

    At the moment it just tests webresource.axd to see if it show obvious symptoms of being a padding oracle. I'll likely update it to add more tests and would welcome comments and contributions.

    http://blog.dotsmart.net/2010/09/22/asp-net-padding-oracle-detector/

    Hope it helps!

    Wednesday, September 22, 2010 4:34 AM

Answers

  • User829343672 posted

    Thanks.  Replying to get this out of the unanswered posts!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 22, 2010 12:25 PM

All replies

  • User829343672 posted

    Thanks.  Replying to get this out of the unanswered posts!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 22, 2010 12:25 PM
  • User32459769 posted

    UPDATE: added check that includes 'aspxerrorpath' error page bypass as mentioned in comments of Troy's blog: http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html

    Friday, September 24, 2010 10:58 AM
  • User32459769 posted

    Oh dear:

    Enter site URL:
    http://www.microsoft.com
    Testing site: http://www.microsoft.com/
    MIGHT BE VULNERABLE: HTTP status mismatch
    
    === Response 1 ===
    200 OK
    
    === Response 2 ===
    500 Internal Server Error
    
    Friday, September 24, 2010 11:04 AM