{"id":2246,"date":"2010-09-25T07:15:09","date_gmt":"2010-09-25T07:15:09","guid":{"rendered":"http:\/\/blog.resellerclub.com\/?p=2246"},"modified":"2025-10-24T14:05:59","modified_gmt":"2025-10-24T14:05:59","slug":"how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure","status":"publish","type":"post","link":"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/","title":{"rendered":"How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure."},"content":{"rendered":"<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\">A few days ago Microsoft released a Security Advisory (http:\/\/www.microsoft.com\/technet\/security\/advisory\/2416728.mspx) about a vulnerability which affects all versions of ASP.NET. This vulnerability known as Padding Oracle exploits the way an ASP.NET application handles encrypted data. ASP.NET encrypts data to prevent an application from tampering with it. Because of this vulnerability, an attacker can send data to a site and analyze the error response which provides a lot of information enabling the attacker to break the ASP.NET&#8217;s encryption in a matter of hours or minutes. An attacker then would be able to read a vulnerable application&#8217;s files and tamper with the data contained in them.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\"><strong>Workaround <\/strong><\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\">A workaround that you can use against this vulnerability is to enable &lt;customErrors&gt; mode in the web.config file of your application, and explicitly configure your applications to always return the same error page &#8211; regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\"><strong>Enabling the Workaround on ASP.NET V1.0 to V3.5<\/strong><\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\">If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 then you should follow the below steps to enable &lt;customErrors&gt; and map all errors to a single error page:<\/span><\/p>\n<div style=\"padding: 10px; background: #ffffcc none repeat scroll 0% 50%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 12px;\">\n<ul>\n<li>Edit your ASP.NET Application\u2019s root Web.Config file.\u00a0 If the file doesn\u2019t exist, then create one in the root directory of the application.<\/li>\n<li>Create or modify the &lt;customErrors&gt; section of the web.config file to have the below settings:<\/li>\n<\/ul>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;\/configuration&gt;<\/p>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;system.web&gt;<\/p>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;customErrors mode=&#8221;On&#8221; defaultRedirect=&#8221;~\/error.html&#8221; \/&gt;<\/p>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;\/system.web&gt;<\/p>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;\/configuration&gt;<\/p>\n<ul>\n<li>You can then add an error.html file to your application that contains an appropriate error page of your choice (containing whatever content you like).\u00a0 This file will be displayed anytime an error occurs within the web application.<\/li>\n<\/ul>\n<\/div>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\"><strong>Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0<\/strong><\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\">If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable &lt;customErrors&gt; and map all errors to a single error page:<\/span><\/p>\n<div style=\"padding: 10px; background: #ffffcc none repeat scroll 0% 50%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 12px;\">\n<ul>\n<li>Edit your ASP.NET Application\u2019s root Web.Config file.\u00a0 If the file doesn\u2019t exist, then create one in the root directory of the application.<\/li>\n<li>Create or modify the &lt;customErrors&gt; section of the web.config file to have the below settings.\u00a0 Note the use of redirectMode=\u201dResponseRewrite\u201d with .NET 3.5 SP1 and .NET 4.0:<\/li>\n<\/ul>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;configuration&gt;<\/p>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;system.web&gt;<\/p>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;customErrors mode=&#8221;On&#8221; redirectMode=&#8221;ResponseRewrite&#8221;<br \/>\n<span style=\"visibility: hidden;\">++<\/span>defaultRedirect=&#8221;~\/error.aspx&#8221; \/&gt;<\/p>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;\/system.web&gt;<\/p>\n<p><span style=\"visibility: hidden;\">++<\/span>&lt;\/configuration&gt;<\/p>\n<ul>\n<li>You can then add an Error.aspx to your application that contains an appropriate error page of your choice (containing whatever content you like).\u00a0 This file will be displayed anytime an error occurs within the web application.<\/li>\n<\/ul>\n<\/div>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\"><strong>How to Verify if the Workaround is Enabled<\/strong><\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\">Once you have applied the above workaround, you can test to make sure the &lt;customErrors&gt; section is correctly configured by requesting a URL like this from your site: http:\/\/mysite.com\/pagethatdoesnotexist.aspx<\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\">If you see the custom error page appear (because the file you requested doesn\u2019t exist) then your configuration has been setup correctly.\u00a0 If you see a standard ASP.NET error then it is likely that you missed one of the steps above.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\">Microsoft is currently working on a patch to fix this vulnerability. Once released, we will apply this on all of our Windows servers. This workaround will not be needed after that.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;\"><em>We are looking for you to suggest what topics you would like to see on this blog. We will try our best to make sure the information that is critical to you is always available here.<\/em><\/span><\/p>\n<div class=\"fb-background-color\">\n\t\t\t  <div \n\t\t\t  \tclass = \"fb-comments\" \n\t\t\t  \tdata-href = \"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/\"\n\t\t\t  \tdata-numposts = \"10\"\n\t\t\t  \tdata-lazy = \"true\"\n\t\t\t\tdata-colorscheme = \"light\"\n\t\t\t\tdata-order-by = \"social\"\n\t\t\t\tdata-mobile=true>\n\t\t\t  <\/div><\/div>\n\t\t  <style>\n\t\t    .fb-background-color {\n\t\t\t\tbackground:  !important;\n\t\t\t}\n\t\t\t.fb_iframe_widget_fluid_desktop iframe {\n\t\t\t    width: 100% !important;\n\t\t\t}\n\t\t  <\/style>\n\t\t  ","protected":false},"excerpt":{"rendered":"<p>A few days ago Microsoft released a Security Advisory (http:\/\/www.microsoft.com\/technet\/security\/advisory\/2416728.mspx) about a vulnerability which affects all versions of ASP.NET. This vulnerability known as Padding Oracle exploits the way an ASP.NET application handles encrypted data. ASP.NET encrypts data to prevent an application from tampering with it. Because of this vulnerability, an attacker can send data to<\/p>\n","protected":false},"author":18,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_rc_manual_related_posts":[],"footnotes":""},"categories":[813,1533],"tags":[],"hashtags":[],"class_list":{"0":"post-2246","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-website-security-2","7":"category-tech"},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure.<\/title>\n<meta name=\"description\" content=\"Subscribe to the official ResellerClub Blog for tips on your Web Design and Development business. Get updates on Digital Marketing, Doamins and Hosting offers!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure.\" \/>\n<meta property=\"og:description\" content=\"Subscribe to the official ResellerClub Blog for tips on your Web Design and Development business. Get updates on Digital Marketing, Doamins and Hosting offers!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/\" \/>\n<meta property=\"og:site_name\" content=\"ResellerClub Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/profile.php?id=100005889763273\" \/>\n<meta property=\"article:published_time\" content=\"2010-09-25T07:15:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-24T14:05:59+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"madhusudan.s\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.resellerclub.com\/blog\/#website\",\"url\":\"https:\/\/www.resellerclub.com\/blog\/\",\"name\":\"ResellerClub Blog\",\"description\":\"Web Hosting &amp; Domains\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.resellerclub.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/#webpage\",\"url\":\"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/\",\"name\":\"How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure.\",\"isPartOf\":{\"@id\":\"https:\/\/www.resellerclub.com\/blog\/#website\"},\"datePublished\":\"2010-09-25T07:15:09+00:00\",\"dateModified\":\"2025-10-24T14:05:59+00:00\",\"author\":{\"@id\":\"https:\/\/www.resellerclub.com\/blog\/#\/schema\/person\/8e8e4d9bc3cbe9a301c2df643ce0d776\"},\"description\":\"Subscribe to the official ResellerClub Blog for tips on your Web Design and Development business. Get updates on Digital Marketing, Doamins and Hosting offers!\",\"breadcrumb\":{\"@id\":\"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.resellerclub.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure.\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.resellerclub.com\/blog\/#\/schema\/person\/8e8e4d9bc3cbe9a301c2df643ce0d776\",\"name\":\"madhusudan.s\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.resellerclub.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/86ce616cb03d5c54d290d9d5cbfc433c4a3b2d1e684865b27856bc13681f5ea1?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/86ce616cb03d5c54d290d9d5cbfc433c4a3b2d1e684865b27856bc13681f5ea1?s=96&d=mm&r=g\",\"caption\":\"madhusudan.s\"},\"url\":\"https:\/\/www.resellerclub.com\/blog\/author\/madhusudan-s\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure.","description":"Subscribe to the official ResellerClub Blog for tips on your Web Design and Development business. Get updates on Digital Marketing, Doamins and Hosting offers!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/","og_locale":"en_US","og_type":"article","og_title":"How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure.","og_description":"Subscribe to the official ResellerClub Blog for tips on your Web Design and Development business. Get updates on Digital Marketing, Doamins and Hosting offers!","og_url":"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/","og_site_name":"ResellerClub Blog","article_publisher":"https:\/\/www.facebook.com\/profile.php?id=100005889763273","article_published_time":"2010-09-25T07:15:09+00:00","article_modified_time":"2025-10-24T14:05:59+00:00","twitter_card":"summary_large_image","twitter_misc":{"Written by":"madhusudan.s","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.resellerclub.com\/blog\/#website","url":"https:\/\/www.resellerclub.com\/blog\/","name":"ResellerClub Blog","description":"Web Hosting &amp; Domains","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.resellerclub.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/#webpage","url":"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/","name":"How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure.","isPartOf":{"@id":"https:\/\/www.resellerclub.com\/blog\/#website"},"datePublished":"2010-09-25T07:15:09+00:00","dateModified":"2025-10-24T14:05:59+00:00","author":{"@id":"https:\/\/www.resellerclub.com\/blog\/#\/schema\/person\/8e8e4d9bc3cbe9a301c2df643ce0d776"},"description":"Subscribe to the official ResellerClub Blog for tips on your Web Design and Development business. Get updates on Digital Marketing, Doamins and Hosting offers!","breadcrumb":{"@id":"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.resellerclub.com\/blog\/how-to-secure-your-site-against-a-vulnerability-in-asp-net-that-could-allow-information-disclosure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.resellerclub.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How to secure your site against a vulnerability in ASP.NET that could allow Information Disclosure."}]},{"@type":"Person","@id":"https:\/\/www.resellerclub.com\/blog\/#\/schema\/person\/8e8e4d9bc3cbe9a301c2df643ce0d776","name":"madhusudan.s","image":{"@type":"ImageObject","@id":"https:\/\/www.resellerclub.com\/blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/86ce616cb03d5c54d290d9d5cbfc433c4a3b2d1e684865b27856bc13681f5ea1?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/86ce616cb03d5c54d290d9d5cbfc433c4a3b2d1e684865b27856bc13681f5ea1?s=96&d=mm&r=g","caption":"madhusudan.s"},"url":"https:\/\/www.resellerclub.com\/blog\/author\/madhusudan-s\/"}]}},"_links":{"self":[{"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/posts\/2246","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/comments?post=2246"}],"version-history":[{"count":10,"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/posts\/2246\/revisions"}],"predecessor-version":[{"id":13663,"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/posts\/2246\/revisions\/13663"}],"wp:attachment":[{"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/media?parent=2246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/categories?post=2246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/tags?post=2246"},{"taxonomy":"hashtags","embeddable":true,"href":"https:\/\/www.resellerclub.com\/blog\/wp-json\/wp\/v2\/hashtags?post=2246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}