Penetration Testing mailing list archives
Re: Spoofing .NET ViewState
From: H D Moore <sflist () digitaloffense net>
Date: Thu, 12 Jan 2006 23:28:19 -0600
The ViewState has a 'MAC' appended to the end by default. If you modify the ViewState with ViewStateMac enabled (default in web.xml), the .NET layer will mark it as invalid and the error handler will be invoked. This MAC is either a MD5 or SHA-1 hash of the ViewState data plus a secret key generated automatically by the web server. There are a few applications out there that let you examine the structure of a ViewState (think of a tree of name/value pairs), but 'spoofing' it requires some crypto hackery. There are some exceptions: 1) If ViewStateMac is disabled, you can do some really evil things to the backend application. What you can do depends on the app - disable the MAC to find out :-) There used to be an overflow (pre-1.0 .NET)... 2) If you can force the application to place your data into the ViewState, you can replay the MAC'd VS string for the life of the key. The VS has a Page ID embedded within it, this should prevent that VS from being valid on any other pages, however in 1.0 it was not enforced (IIRC), not sure about 1.1 or whatever the latest version is. 3) If you break into the .NET server, you can hardcode the encryption key and view state key inside web.xml - if you modify the default web.xml file (somewhere in System32?), its a fairly evil backdoor that can let you bypass authentication (depends of course, on the app). You might find the following (old) tool useful: http://metasploit.com/users/hdm/tools/dnascan.pl.gz -HD On Thursday 12 January 2006 16:36, Keith Hanson wrote:
Was wondering if there's any .NET developers/Pen-Testers out there who might know how to do this. I'm currently attempting to override the viewstate of a .NET application with my own viewstate, and get the application to auto-fill in the values using the Viewstate. I've used JavaScript to set the value of the hidden field __VIEWSTATE with my own, and then submitted the form, but to no avail. My test project is a pretty simple app, with a text box and a submit button.
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Spoofing .NET ViewState Keith Hanson (Jan 12)
- Re: Spoofing .NET ViewState H D Moore (Jan 13)
- Re: Spoofing .NET ViewState bryan allott (Jan 13)
- RE: Spoofing .NET ViewState Debasis Mohanty (Jan 15)
- Re: Spoofing .NET ViewState Ademar Gonzalez (Jan 15)
- RE: Spoofing .NET ViewState Debasis Mohanty (Jan 15)
- <Possible follow-ups>
- Re: Spoofing .NET ViewState Andrew (Jan 13)
- Re: Spoofing .NET ViewState Keith Hanson (Jan 13)