Critical Zero Day Exploit Hits ASP.net Applications

Security researchers confirmed that the exploit is being used to place backdoors on a number of SaaS products...

The new vectors included a technique called "HTTP side-car reverse injection", which allowed the use of “brute forcing techniques and proxy-based hacks.”

Gerard Manning of The Security Institute of West Canada published a summary of the hack just hours ago: "We were surprised at how easy this exploit was... and nobody noticed it. It's like we weren't even looking for an attack like this one."

Manning said the initial user-level attack via cross-site scripting (XSS) was attempted by a number of malicious actors in mid-November 2020. After connecting to vulnerable websites, attackers deployed a tool called "AsricStlyProx." But their approach was too complicated. "The real hack was much simpler," Manning said.

Update: Microsoft is releasing incremental patches for the vulnerability. The company also released a security advisory on the matter, urging customers to patch vulnerable ASP.NET applications as soon as possible.

More information about the attack: Rueberger