• Services
  • Blog
  • Knowledge Base
  • Contact
our services
  • Application Penetration Testing

    • Username Enumeration
    • iOS Frida Objection Pentesting Cheat Sheet
    • URL Redirection – Attack and Defense
    • Jailbreaking iOS 13 with unc0ver
    • X-Runtime Header Timing Attacks
    • wkhtmltopdf File Inclusion Vulnerability
    • API Mass Assignment Vulnerability
    • Web Server TRACE Enabled
  • AWS Pentesting

    • Protecting S3 buckets using IAM and KMS
    • Misconfigured S3 Bucket
    • S3 Storage Does Not Require Authentication
  • DevOps Security

    • Securing Travis CI
  • Encryption

    • TLS 1.0 Initialization Vector Implementation Information Disclosure Vulnerability
    • OpenSSL ‘ChangeCipherSpec’ (CCS) MiTM Vulnerability
    • Null Ciphers Supported
    • ‘Export Ciphers’ Enabled
  • Network Penetration Testing

    • .NET Handler Enumeration
    • TLS_FALLBACK_SCSV Not Supported
    • PHP Easter Eggs Enabled
    • MySQL Multiple Vulnerabilities
    • Debian Predictable Random Number Generator Weakness
    • Cisco IKE Fragmentation Vulnerability
  • Pentesting Fundamentals

    • Essential Wireshark Skills for Pentesting
    • Testing Cookie Based Session Management
  • Windows Hardening

    • Resolving “Windows NetBIOS / SMB Remote Host Information Disclosure” (2020)
Network Penetration Testing

.NET Handler Enumeration

our services

Overview

Vulnerability scanners frequently produce issues such as .NET Handler Enumeration. This can allow an attacker to determine all handlers enabled on the server. The value of this is extremely minimal and we categorize the risk of this as a ‘Note’.

The root cause of this issue is most often errors such as the following:

.NET handler enumeration

Technical Description

Microsoft .NET supports a number of application extensions. As an example, Nessus checks for the following:

  1. .ashx – Generic handler
  2. .aspx – ASP.NET page handler
  3. .asmx – Web service handler
  4. .rem – Remoting handler
  5. .soap – SOAP handler

We can analyze the detection plugin by looking at a Nessus nasl file:

list = make_list(".ashx", ".aspx", ".asmx", ".rem", ".soap");

We can then see the plugin make a request for a random file with each extension:

foreach ext (list) 
{
 u ="/" + rand_str(length:8) + ext;
 r = http_send_recv3(method: "GET", item: u, port:port);

It then checks each response for descriptive errors:

 if ( "[FileNotFoundException]:" >< r[2] ||
      "[HttpException]:" >< r[2] ||
      "System.Runtime.Remoting.RemotingException:" >< r[2] ||
      egrep(pattern:"^Location:.*aspxerrorpath=", string:r[1]) )
    {

By seeing this, we can confirm the enumeration is made possible by either of two things:

Any error containing FileNotFoundException, HttpException, System.Runtime.Remoting.RemotingException, or a URL redirection matching the regex ^Location:.*aspxerrorpath=.

Solution

You can prevent most instances of .NET handler enumeration by disabling verbose error messages in .NET. This can be set in the web.config with the following:

<configuration>
  <system.web>
    <customErrors mode="On" defaultRedirect="~/Error.aspx" redirectMode="ResponseRewrite"/>
    [..]
  </system.web>
  [..]
</configuration>

There is not always a true solution to prevent someone from enumerating handlers. Other errors and custom functionality may also confirm that the handler is supported. However, this should prevent most vulnerability scanners from raising the issue.

← URL Redirection – Attack and Defense
iOS Frida Objection Pentesting Cheat Sheet →
  • Services
  • Blog
  • Knowledge Base
  • Contact
Looking for a better
penetration test?

Make an appointment with an expert today

    Request a meeting invite? (EDT)

    Contact ASAP3:00 PM Today4:00 PM Today1:00 PM Tomorrow3:00 PM TomorrowOther / Just Send Info