Generic Padding Oracle

Risk:
High

Type:
Active

CWE:
CWE-209

Summary: By manipulating the padding on an encrypted string, an attacker is able to generate an error message that indicates a likely ‘padding oracle’ vulnerability. Such a vulnerability can affect any application or framework that uses encryption improperly, such as some versions of ASP.net, Java Server Faces, and Mono. An attacker may exploit this issue to decrypt data and recover encryption keys, potentially viewing and modifying confidential data. This rule should detect the MS10-070 padding oracle vulnerability in ASP.net if CustomErrors are enabled for that.

Solution: Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption.

References

https://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070

https://www.mono-project.com/docs/about-mono/vulnerabilities/

https://bugzilla.redhat.com/show_bug.cgi?id=623799

Top Security News

Latest CVE List

Top Alert List

Content Security Policy (CSP) Header Not Set
CSP
MediumMissing Anti-clickjacking Header
InformationalInformation Disclosure - Suspicious Comments
MediumAbsence of Anti-CSRF Tokens
MediumContent Security Policy (CSP) Header Not Set
LowCross-Domain JavaScript Source File Inclusion
InformationalRe-examine Cache-control Directives
LowCSP: X-Content-Security-Policy
LowTimestamp Disclosure - Unix

Common CWEs

Free online web security scanner

Don't show website scan report rating on the leaderboard