Let iRules Work Around that ASP.NET Padding Oracle Attack

Microsoft released advisory 2416728 on Friday after researchers Thai Duong and Juliano Rizzo demonstrated the attack on ASP.NET with their Padding Oracle Exploit Tool.  The attack itself preys on a b...
Published Sep 20, 2010
Version 1.0
application delivery
dev
devops
iRules
oracle
partner
security
us
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Sep 20, 2010
@Bertand This solution applies pre and post-3.5SP1 unless I'm reading the advisory wrong.

 

 

@Matt I only implemented the specified workaround, not any additional recommendations. You are correct in that you could add a delay, but would be better without the variable, and would look more like this:

 

 

after [expr [expr { int(10000 * rand()) }] +2000]