In this video, researchers Juliano Rizzo and Thai Duong demonstrate the technique they developed for stealing cryptographic keys for ASP.NET Web applications, enabling them to compromise virtually any app built on ASP.NET.
You can read the full story of their attack in this article, “Padding Oracle Attack Affects Millions of ASP.NET Apps.”
Anonymous on
Does this only work if the default error page is used? If so, that is a basic security requirement of any good deployment.
So really only thing you have to do to prevent this exploit, is to turn on custom error pages.