Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks

[Anton Ivanov <arivanov () sigsegv cx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One more example.

http://www.theregister.co.uk/2005/05/11/ms_gatekeeper_test_fiasco/

It looks like someone already used this to rig his scores in the
Microsoft Security Professional competition.

ROFL.

A.

Michal Zalewski wrote:

| I would also like to point all concerned to an excellent post about
|  replay attacks on __VIEWSTATE; the post is by Scott Mitchell, the
| guy who authored the MSDN article I initially referred to [1]:
|
| http://scottonwriting.net/sowblog/posts/3747.aspx
|
| His article is aimed at developers; Scott explains the issue I
| reported in a way that makes it perhaps more clear why putting user
|  ID, session ID, or other similar data in __VIEWSTATE is not a
| remedy by itself, and why reposting __VIEWSTATE is dangerous
| despite target script location checks.
|
| [1]
| http://msdn.microsoft.com/library/en-us/dnaspp/html/viewstate.asp
|
| Cheers, /mz
|


- --
La Châtelier's Law:

~          If some stress is brought to bear on a system in equilibrium,
the equilibrium is displaced in the direction which tends to undo the
effect of the stress.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCgxKX/NpXLt3l5xURAoCRAKCST0nfsIav2YahTueJdgyl1sjfIQCgwRhm
L/0uD824ZveBMYbo9yi1ErI=
=0rM6
-----END PGP SIGNATURE-----