Why sleep is good for your app’s padding oracle health

added by troyhunt
9/25/2010 4:26:50 PM

2 Kicks, 131 Views

Does the ASP.NET padding oracle vulnerability benefit from random sleep periods in the error page as Microsoft claims? Is it possible to execute a timing attack against apps that don’t have this? Are earlier versions of ASP.NET more vulnerable to the whole padding oracle vulnerability? Yes, yes and yes!