Strange error in .net application. - RijndaelManaged
During a recent load test I get a strange "Range Exception"
Stack trace:
at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)
at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)
at System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Boolean useValidationSymAlgo)
at System.Web.UI.Page.DecryptString(String s)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
We are not using a farm or cluster, and I am not using crypto in the application.
It looks like this is going on behind the scenes of .Net classes.
I suppose it has something to do with the viewstate, but I can't figure out why this is happening.
Any ideas?
source to share
If someone initiates a message, the application starts sending the message with all 500KB in view. Half way through postback, the user gets bored and clicks on something else. The browser disables postbacks only for part of the view state. The server throws an error that says the viewstate has started. I would assume this is a 2.0 app with viewstate encryption enabled. The solution is to better manage the size of the view.
Event validation exceptions are more likely to occur when an attacker creates a custom postback response, so I don't think event validation is involved here.
source to share
Just guess: have you disabled EventValidation on the site? It looks like something is trying to create a manual postback or otherwise insert data directly into the post post data of the http request and has not calculated the correct value for the viewstate field. This, in turn, causes the decryption to fail.
When enabling EventValidation, you will get an exception even if they calculated everything correctly, but at least this is a meaningful exception.
source to share