Serious ASP.NET Forms Authentication Vulnerability

forwarded from OWASP-DOTNET read the whole story here for some examples of vulnerable and not vulnerable web.config settings.

It seems from the original mail that microsoft wasn’t even contacted before disclosing this vulnerability which is extremely bad style.

this is serious!


Date: Tue, 14 Sep 2004 12:42:28 +0100
From: Toby Beaumont <toby:nospam.CREATOR.CO.UK>
Subject: Security bug in .NET Forms Authentication


We believe we have discovered a serious flaw in .NET forms authentication when used to secure sub folders.

A standard forms authentication setup requires the presence of “web.config”

to set the authentication method and login procedure. The presence of this file prevents access to certain files (.aspx files for example) unless authenticated.



The webroot for your website is:


You want to secure files in a sub directory “secure”


A request to http://localhost/secure/somefile.aspx would then redirect the user to a predefined authentication page, as defined in web.config, before allowing the user access to “somefile.aspx”.


1. Using Mozilla not IE, you make a request to http://localhost/securesomefile.aspx
The use of a backslash rather than a forward slash appears to bypass the expected authentication model invoked in .NET forms authentication

2. Using IE, you make a request to http://localhost/securesomefile.aspx
IE automatically replaces the backslash “” with a forward slash “/” and everything appears fine. However, replace the backslash “” with %5C (%5C being hex value for ) and all is not so fine:



This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s