buherator on Nostr: nprofile1q…h5lc3 The dangers of exposing ViewState encryption keys (or encryption ...
nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpq7lgy0rj5a2nwpnyc4hup6ufpfz7wz6dzcgd3crm6fm2yd34dcz0qrh5lc3 (nprofile…5lc3) The dangers of exposing ViewState encryption keys (or encryption oracles) were popularized at least by 2010 because of the padding oracle fixed with MS10-070:
https://web.archive.org/web/20101225182433/http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf
Similar attacks can be executed against frameworks that also protect stateless session data with encryption/MAC's, see CVE-2018-15133 of Laravel:
https://mogwailabs.de/en/blog/2022/08/exploiting-laravel-based-applications-with-leaked-app_keys-and-queues/
We've been hunting for web.config's during pentests too - the latest exploit I remember must've been written around last December by teammate based on a file read vuln exposing web.config.
So yeah, don't expose your private keys... If you do, that's not the problem of the crypto system (or ASP.NET in this case).
https://web.archive.org/web/20101225182433/http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf
Similar attacks can be executed against frameworks that also protect stateless session data with encryption/MAC's, see CVE-2018-15133 of Laravel:
https://mogwailabs.de/en/blog/2022/08/exploiting-laravel-based-applications-with-leaked-app_keys-and-queues/
We've been hunting for web.config's during pentests too - the latest exploit I remember must've been written around last December by teammate based on a file read vuln exposing web.config.
So yeah, don't expose your private keys... If you do, that's not the problem of the crypto system (or ASP.NET in this case).