Does encrypting a value in the web.config file actually provide any real protection? It seems to me that any web app can read that setting. Yes that's more work than just reading the web.config file, but it's not a big difference if you have control of the system.
Asked
Active
Viewed 1,479 times
6
-
2The last part Xander mentions in his reply is important. Not all exploits allow an attacker to take complete control of the system. Some exploits allow the attacker to download or access files that they shouldn't normally be able to access, like the web.config. – k1DBLITZ Sep 23 '14 at 13:52
1 Answers
8
No, when you encrypt a web.config section, you specify which application and site the configuration belongs to. The container is going to be specific to that site and application, and will not be accessible to other applications.
If you control the system, then you can do whatever you want, including just decrypting the section. There is no protection against the owner of the box.
The biggest protection that you get here is against the web.config file itself being leaked. If a malicious party gets a copy of the file, the sensitive data it contains can't be used to attack you if it is encrypted.
Xander
- 35,525
- 27
- 113
- 141
-
2FWIW, this is the same reason so many people put secrets in environment variables. Sure, if you're able to gain code execution privileges you can read the values directly, but gaining code execution privileges is generally considered more difficult than reading arbitrary files from disk. – Levi Sep 25 '14 at 15:47