Padding Oracle Post-Explotation: Abusing ASP.NET Forms Authentication with Burp
So you found an web site vulnerable to the ASP.NET Padding Vulnerability, used Minded Security's web.config bruter and now you have the applications web.config file. Now what?
Here's a burp plugin to decrypt FormsAuthentication tokens, allowing you to edit them as a plain-text cookie changing "AuthCookie=AB1351CF[Encrypted and Signed hex blog]D1" to "__bMKUusername=jwpari". The plugin will then re-encrypt and sign the FormsAuthenticationTicket and the ASP.NET application will never know the difference.
BurpMachineKeyUtils-0.1.jar
https://github.com/beersec/BurpMachineKeyUtils/
Follow me on twitter, @jwpari.
Here's a burp plugin to decrypt FormsAuthentication tokens, allowing you to edit them as a plain-text cookie changing "AuthCookie=AB1351CF[Encrypted and Signed hex blog]D1" to "__bMKUusername=jwpari". The plugin will then re-encrypt and sign the FormsAuthenticationTicket and the ASP.NET application will never know the difference.
java -classpath burp.jar:BurpMachineKeyUtils.jar burp.StartBurp [web.config filename]
BurpMachineKeyUtils-0.1.jar
https://github.com/beersec/BurpMachineKeyUtils/
Follow me on twitter, @jwpari.