More than 3,000 publicly disclosed ASP.NET keys were discovered that attackers can use to launch a ViewState code injection attack that could perform malicious actions on target servers.In a Feb. 6 blog, Microsoft Threat Intelligence explained that developers took these ASP.NET machined keys from publicly accessible resources, such as code documentation and repositories.The researchers acknowledged that while it’s a routine practice to use public-accessible code, the danger here is that many ViewState code injection attacks use compromised or stolen keys that are sold on dark web forums, adding that these keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modification.Microsoft recommended that companies do not copy keys from publicly available sources and to regularly rotate these keys. To further discourage this practice, Microsoft also removed key samples from limited instances where they were included in its own public documentation.“Microsoft's alert regarding the use of publicly available ASP.NET machine keys brings attention to a significant security risk linked to poor coding practices in application and API development,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “Developers frequently turn to public resources and code snippets for ease, but this approach can unintentionally create vulnerabilities, particularly when developing applications or APIs that manage sensitive data and integrate critical systems.”In this scenario, Schwake explained that the use of publicly disclosed machine keys puts applications and their associated APIs at risk of attacks since malicious individuals can easily access these keys. To mitigate such risks, Schwake said developers must prioritize secure coding practices by refraining from using publicly disclosed secrets and ensuring that all third-party libraries and components are up-to-date and free from known vulnerabilities.“This precaution is especially vital for APIs, which are frequently exposed online and can be easily targeted by attackers,” said Schwake. “Furthermore, extensive security training is essential to inform developers about secure coding practices, particularly in relation to API development and the dangers of using publicly accessible resources.”Tim Mackey, head of software supply chain risk strategy at Black Duck, added that at its core, we’re looking at a misconfiguration of a system where that misconfiguration allows for malicious activity. For this scenario, Mackey said the ViewState would contain the malicious payload which was encrypted using a key published on the internet.“Such a key might have originated from sample code or from demo code provided to a developer attempting to learn a new API or coding topic,” said Mackey. “That key was provided as an example by the original author with an expectation that someone using the sample code would replace the demo key with one that’s unique to their environment. The problem is that someone using sample code might not understand all the rules resulting in the sample code being copied directly into the application.”
Network Security, Vulnerability Management, DevSecOps
3,000 exposed ASP.NET keys could perform code injection attacks
(Adobe Stock)
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds