Bugtraq mailing list archives
Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: Anton Ivanov <arivanov () sigsegv cx>
Date: Thu, 12 May 2005 09:23:52 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One more example. http://www.theregister.co.uk/2005/05/11/ms_gatekeeper_test_fiasco/ It looks like someone already used this to rig his scores in the Microsoft Security Professional competition. ROFL. A. Michal Zalewski wrote: | I would also like to point all concerned to an excellent post about | replay attacks on __VIEWSTATE; the post is by Scott Mitchell, the | guy who authored the MSDN article I initially referred to [1]: | | http://scottonwriting.net/sowblog/posts/3747.aspx | | His article is aimed at developers; Scott explains the issue I | reported in a way that makes it perhaps more clear why putting user | ID, session ID, or other similar data in __VIEWSTATE is not a | remedy by itself, and why reposting __VIEWSTATE is dangerous | despite target script location checks. | | [1] | http://msdn.microsoft.com/library/en-us/dnaspp/html/viewstate.asp | | Cheers, /mz | - -- La Châtelier's Law: ~ If some stress is brought to bear on a system in equilibrium, the equilibrium is displaced in the direction which tends to undo the effect of the stress. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCgxKX/NpXLt3l5xURAoCRAKCST0nfsIav2YahTueJdgyl1sjfIQCgwRhm L/0uD824ZveBMYbo9yi1ErI= =0rM6 -----END PGP SIGNATURE-----
Current thread:
- ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 03)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks H D Moore (May 05)
- <Possible follow-ups>
- RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Tim Farley (May 05)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 05)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 06)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Anton Ivanov (May 12)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 06)