tags:

views:

1941

answers:

2
+7  Q: 

Is this an attempt to break my ASP.Net site's security?

I am fairly new to ASP.NET. I recently set up automated email from my website to notify me of an unhandled exceptions. Just a few hours ago in 3 minutes there were 10 unhandled exceptions and all stack traces were similar. There is a lot in the error messages I do not understand, but I do not like the way this looks.

Here is one of the email messages:

An unhandled exception occurred:
Message: Padding is invalid and cannot be removed.

 Stack Trace:
    at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
    at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
    at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
    at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo)
    at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType)
    at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)
    at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Is this an attempt to hack into my site or something else?

Many thanks go to those who provided Answers and Comments provided which pointed me in the right direction to get an answer to this exception. It's cause can be difficult to determine, especially when not occuring in a web farm.

IE 5.5 was not causing the problem as I had earlier thought.

It was not easily found, but a post on my web host forum by one of the staff mentioned reports of Viewstate errors. The cause was attributed to the asp worker process or the server recycling.

The asp worker process settings refers to the processModel Element in the machine.config file. See http://msdn.microsoft.com/en-us/library/7w2sway1(VS.80).aspx for more information.

The recommended fix was to set an encrypted machineKey in the web.config file. The Machine Key node is in the system.web element.

This was easily done and solved the problem thanks to the handy ASP.NETResources site which has a MachineKey Generator. See http://www.aspnetresources.com/tools/keycreator.aspx.

+7  A: 

This exception is thrown when the assembly resource handler gets an invalid request. It is unlikely this is related to any malicious activity; it's usually caused by an incorrectly configured machine config on the server.

Some background:

ASP.NET has built-in mechanisms for exposing resources from the assembly (dll) via an HttpHandler. Resources such as JavaScripts and images can be stored as text in the assembly and requested by the browser via .axd handlers. But for security reasons, the handlers don't accept a plain-text location of the resource, which might expose clues about how your code works. Instead, it uses information in the machine.config on the server to encrypt a unique identifier to the resource. This exception gets thrown when a resource is requested, but when the server tries to decrypt the identifier provided, it fails.

Rex M  2009-03-06 06:04:37
Thank you for your speedy and informative answer. Is there something I need to do to prevent this exception from happening again? Also, I know the basics of try, catch, finally, but I do know very little about handling spefic exceptions.
hunterpaw  2009-03-06 06:52:29
@hunterpaw the server event viewer should have the specific URL that caused the error. It should look something like /WebResource.axd?d={gibberish}. If so, read up on the machineKey setting for verifying yours is correct: http://msdn.microsoft.com/en-us/library/ms998288.aspx
Rex M  2009-03-06 07:00:56
Why did this get voted down? Is it wrong?
Yar  2009-03-06 07:40:05
The post is a little over my head. The follow up comment by Rex was more helpful.Also, I am new to this site. Should I click the check on all helpful answers or just the best helpful answer?
hunterpaw  2009-03-06 18:23:52
Hi Rex,I was glad to find out this is not a security threat. Does this problem concern the viewstate? Thanks for your help.
hunterpaw  2009-03-06 20:32:42
@hunterpaw the check is for the "accepted" answer, only one can be accepted. But if more than one answer is "good" or helpful, you should use the arrow to vote it up.
Rex M  2009-03-06 23:21:51
@hunterpaw I don't think this *specific* error is related to ViewState, but ViewState is affected by the machine key.
Rex M  2009-03-06 23:23:21
@hunterpaw: accept / as in best helpful answer, note that even that msdn link points to the wrong direction: "the default value is correct for a single server deployment. You do not need to change the default settings unless your application is deployed in a Web farm ...
eglasius  2009-03-07 00:01:18
" ... In a Web farm, you must manually generate the validationKey value and make sure that it is the same on all servers in the farm.", and the default value is referring to automatically generated keyword ... sigh :(
eglasius  2009-03-07 00:04:11
the real issue with it on single server isn't well known (your case), at least put a note at the last of your question and point people in the right direction :)
eglasius  2009-03-07 00:06:48
above I meant key, not keyword :)
eglasius  2009-03-07 00:09:07
Thanks everyone for your help. This error is happening often. I am unable to add my Remote SQL Server Database to the Server Explorer, so I cannot see the logs. I will make that problem a different question since it is a different subject.@Freddy Rios Yes, I only have one web site.
hunterpaw  2009-03-07 00:48:24
@hunterpaws, the logs are not kept on SQL Server, they are on the web server in the Event Viewer and the IIS logs.
Rex M  2009-03-07 17:31:08
@Rex M Many Thanks for your patience. I will look for Event Viewer. SQL Server Log Results: Application Virtual Path: /, Request URL: http://gainingaccess.net/WebResource.axd?d=XXXXXXXXX. Now I need to ID which control? is the problem.
hunterpaw  2009-03-08 02:03:07
@hunterpaw a lot of AJAX controls use WebResource.axd to load client scripts. but the specific control is likely not the problem - the whole resource architecture is baked into ASP.NET - either all of it works or none of it will.
Rex M  2009-03-08 03:01:26
@Rex M I checked but my web hosting company does not provide useful event logs--I would dump them if it wasn't so much trouble. Have checked the forums and I will have to build my own event logging/trace/debug procedures. I have been unable to reproduce the error. I will find it eventually. Thanks!
hunterpaw  2009-03-08 05:09:06
+2  A: 

The error is because your appdomain was recycled/restarted. When that happens the application and the machine key is set to auto, it changes. That affects the decryption of the info in the url of the resources urls (.axd). Setting up a fixed machine key will prevent it from ever happening again.

Please check this for more info on a similar case (the explanation is with an issue with viewstate validation, but the cause is the same one): http://www.developmentnow.com/blog/InvalidViewstate+Or+Unable+To+Validate+Data+Error.aspx

Ps. this explains it on single server deployments :) - although the solution is the same for both multi-single server, the fix was usually only explained to make all servers use the same machine key.

Update 1: The padding is invalid message doesn't have relation to the css padding. If it is only happening on ie 5.5, it is likely the parameters for the webresource.axd are being messed up, just like in this question: http://stackoverflow.com/questions/461605/invalid-webresource-axd-parameters-being-generated.

eglasius  2009-03-06 07:20:03
Thanks, Freddy, for the explanation and the link. You have helped me to understand it better.
hunterpaw  2009-03-06 07:38:06

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps