Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Sep 28, 2010

ASP.NET padding oracle, check your logs!

Microsoft has now released a patch for the padding oracle attack, but most system owners will still need some time to test the new patch before going live with it. Until the patch is applied we need to keep an eye on our logs in order to detect potential attacks.

In ScottGu's FAQ post he informs that an attack attempt would generate a large amount of entries in the application event log. In the subsequent update he presents a revised workaround to block requests with an aspxerrorpath parameter. To detect attacks involving this parameter, we also need to look at the IIS logs.

Fortunately, Microsoft offers the LogParser tool — the swiss army knife for parsing large amounts of data from IIS logs, event logs, or even the registry or AD (!). Check it out!

I'll give some examples here on how LogParser can be helpful in detecting whether someone has been talking to the oracle in your ASP.NET enabled webserver. Note that LogParser is a command line utility and will open in a command prompt. Note also that some of the logparser commands included below have been broken over several lines to increase readability. If you experience problems, try running the command on ONE line in your command prompt.

Check the event log
In ScottGu's FAQ post on the vulnerability he informs that an attack attempt would generate a large amount of entries in the application event log:

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 11/11/1111 11:11:11 AM 
Application information: 
    Application domain: c1db5830-1-129291000036654651 
    Application Virtual Path: / 
Exception information: 
    Exception type: CryptographicException 
    Exception message: Padding is invalid and cannot be removed.

You can search for these events in the eventlog:

logparser "select count(*) from *.evt where Message like '%Padding is invalid%'"

This should give you something like this:


Elements processed: 402859
Elements output:    1
Execution time:     40.75 seconds

If the count is larger than 0, then there were entries in the log that needs to be inspected.

In that case, the matches can be dumped to a file called e.g. dump.csv by logparser:

logparser "select * into dump.csv from *.evt
where Message like '%Padding is invalid%'" -o:csv

This will output a file where the data fields are comma separated.

Check the IIS log
To further check what's going on in your webserver, use LogParser to search for requests containing the aspxerrorpath= parameter:

logparser "select count(*) from mybusywebserver.log
where cs-uri-query like '%aspxerrorpath%'" 

Which should yield something like this:


Elements processed: 2147336
Elements output: 1
Execution time: 13.81 seconds

The above query was run on  a logfile from a server lacking the customerrors configuration trick suggested by ScottGu. Running it on a file from a server with the recommended customerrors tweak (with the responseRewrite) applied should yield (unless someone is attacking you):


Elements processed: 1008100
Elements output:    1
Execution time:     8.61 seconds

If your logfile contains entries with the aspxerrorpath parameter, run the query again, but this time dumping the results to a csv file for closer inspection:

logparser "select * into dump.csv from mybusywebserver.log
where cs-uri-query like '%aspxerrorpath%'" -o:csv

More on LogParser
LogParser can handle several files simultaneously, just use a wildcard like I did, e.g. *.evt. LogParser will also handle logfiles from several servers. Very handy if you have clustered webservers — you can analyze logs across your cluster!

Check out the Logparser forum for more details on the magic bits.

LogParser rocks!


  1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from Dot Net Training in Chennai. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.
    or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.

  2. You should be really educated to understand this. And doing homework is very important here. By the way, you can check this out if you want to make your homework fun.

  3. نحن في شركتنا نعمل علي دشن علمية لائحة علي أبحاث تحت مراقبة فنيين و كوادر على إستيعاب كامِل
    بمجال مكافحة الحشرات و المبيدات ؛ لهذا تقدم شركتنا عدد من الخدمات و الإجابات
    العاملة علي القضاء علي الحشرات و إبادتها كليا و نهائيا دون ظهورها أو عودتها مرة أخرى للموقع.
    القضاء الكامل علي الفئران و القوارض هائلة المقدار فى هذة الخدمة تنفرد شركتنا بمبيد خاص بها
    يميزها عن غيرها من المؤسسات في سرعة القضاء الفعلى علي الفئران و إضافة المادة عليها
    وضعها بأماكن هذه الحشرات بما يتناسب مع حجمها فسريعا ما ياكل منها الفئران بوحشية دون مقاومة .
    فتؤدي هذة المادة الي إعطاب الجهاز التنفسي للفئران و التخلص منها أثناء الساعات الأولي بعد الزيارة أو المكافحة مع مرحلة ضمان تبلغ الي عام فلا تترددوا فى التواصل بينا .
    شركة مكافحة حشرات
    شركة مكافحة حشرات بابها
    شركة رش مبيدات بابها
    شركة مكافحة النمل الابيض بابها

  4. Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as

    yahoo mail myaccount login

  5. A major commented factor of our nursing research papers is the ability of our writers to provide best custom research paper services services that matches the academic requirements of students.


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts