![]() ![]() ![]() What doĪssume this generic scenario: An outdated ASP.NET CMS on IIS This can also be abused very similar to a hidden key or a backdoor by malicious developers to execute code on a server when they do not have their access anymore. Now I want to explain how hackers who have already exploited an ASP.NET application can read the auto generated parameters to maintain their access even after their original vulnerability has been patched. As a result, it is not simply possible to steal the keys by reading the configuration files. However, most websites do not hard code these keys and use automatically generated values by ASP.NET. It covers cases in which the keys are hard coded and could be read using another vulnerability such as local file disclosure. In the Exploiting Deserialisation in ASP.NET via ViewState blog post, I explained how it is possible to run code on an ASP.NET web application using compromised Machine Key secrets. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |