EvilZone
Hacking and Security => Hacking and Security => : arash2121 January 23, 2014, 07:50:27 AM
-
Hi. I scanned a website with "Acunetix 8" and it showed me "asp.net padding oracle vulnerability" but the software couldn't find webresource.axd or scriptresource.axd and when I viewed the source code of the website I didn't see anything like this:
/webresource.axd?d=<resourceId>&t=<timestamp>
But I am sure that the website has this vulnerability and I need this two parameters( resourceId and timestamp) to inject to that website.
How can I find this two parameters?
thank you.
-
Sweet :P "I used a automated scanner which showed a vulnerability and now I can't find the hax button to exploit it". You think I just deleted that post for fun? Why you send a pm asking why I deleted the post if you don't wait for a reply and post the same thing again? Well, I decided to not delete it again :P Lets see what others have to say about that question.
Ok, to not make that post totally useless: https://www.owasp.org/index.php/Testing_for_Padding_Oracle_%28OWASP-EN-003%29
Maybe this will help you to get a better understanding what it is about
-
Acunetix is a great tool and most of it's results are useful to a professional pentester. In other words, it's not usable for you because those vulnerabilities are very specific and are more interesting to fix than to exploit.
-
Well, A.NPO, is a vulnerability VERY dificult to find today..., and for SURE this is a false positive, because Acunetix 8 don't scan for REAL the Encrypted Code on WebResource, if the custom_error is Active or Not, If the EBC or CBC Decrypt is REALLY Vulnerable, Well, Acunetix is Horrible today, Use Good Vul Scanners, like: w3fc, Nikto, Nessus, OWASP ZAP(Is a Fuzzer Too :)), and well, For Sure is a False Positive.