Blacklist3r

The goal of this project is to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published keys.

We are releasing this project with.Net machine key tool to identify usage of pre-shared Machine Keys in the application for encryption and decryption of forms authentication cookie.

Note: Requires Visual Studio 2019, not 2022. Visual Studio 2022 does not support .NET Framework 4.5, which this repo relies on.

References:

• Project Blacklist3r
• Identify and Exploit ViewState Deserialization
• Code injection attacks using publicly disclosed ASP.NET machine keys

Mention

• ASP.NET Cryptography for Pentesters
• Customising Blacklist3r for OWIN OAuth Access Tokens