ASP.NET DoS Vulnerability{2}


There has been controversy over recently a discovered vulnerability in Microsoft’s ASP.NET Web development platform. A new exploit code has emerged and been published online, increasing the risk of potential attacks on users. The patched denial-of-service (DoS) vulnerability was first announced last December at the Chaos Communication Congress, Europe’s largest and oldest hacker conference. “This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server or even on a cluster of web servers” (Constantin). In ASP.NET, a single specially crafted 100kb HTTP request can consume anywhere upwards of 100% for one CPU core ranging from 1-2 minutes. An attacker can also repeatedly issue such requests on the server, causing CPU performance to diminish substantially, causing a denial of service condition for even multi-core servers. Recently, an anonymous hacker who goes by the name of HybrisDisaster, published a proof-of-concept exploitation for the ASP.NET vulnerability online. He encourages users to download it, use it how they see fit and spread it. With the high likelihood of someone releasing attack code for this DoS vulnerability played a significant role in Microsoft’s decision to release an out-of-band patch. It is highly recommended that Webmasters that use ASP.NET Web applications immediately deploy the Microsoft patches, which also address other ASP.NET vulnerabilities.

This article ties well into this week’s discussion of regarding the functions and capabilities of ASP.NET. We know that ASP.NET is the major component of the Microsoft’s .NET Framework as well as is an environment for building, deploying, and running Web applications and Web Services. When a browser request an HTML file the server returns the file. When a browser requests an ASP.NET file, IIS passes the request to the ASP.NET engine on the server. The ASP.NET engine reads the file, line by line, and executes the scripts in the file. Finally, the ASP.NET file is returned to the browser as plain HTML. With that said, it is relatively important to verify and maintain the security of the platform to ensure its integrity.

One important aspect that I came away with from this article was the importance of ASP.NET as a Web development platform and how easy it has recently become to implement a DoS attack on servers. With the anonymous hacktivist movement on the rise, many choose to publish open source code to the public in hopes of spreading it on to others to create disruption and harm to technologies and their users. ASP.NET is Microsoft’s base platform for Web development so it is essential that the integrity of the software be verified and secured before we move forward in creating new innovative technologies.

 

Attack Code Published for Serious ASP.NET DoS Vulnerability (2012).  PC WORLD. Constantin, Lucian. Retrieved May 20, 2012 from http://www.pcworld.com/businesscenter/article/247731/attack_code_published_for_serious_aspnet_dos_vulnerability.html