# Microsoft ASP.NET Security Vulnerability: "padding oracle"

> Understanding the ASP.NET padding oracle security vulnerability. How it works, impact assessment, and mitigation steps for web applications.

*Published October 27, 2010* · Categories: net, microsoft, web

Source: https://www.kimpel.com/2010/10/27/microsoft-asp-net-security-vulnerability-padding-oracle/


Microsoft has released a security advisory about a vulnerability in ASP.NET. A security patch is already available [here](https://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx).

Below are some details on how the vulnerability works:

"To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server.  By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text." (quoted from [Scott Guthrie's](https://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx) blog)

