Bugtraq mailing list archives
RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: "Tim Farley" <tfarley () spidynamics com>
Date: Tue, 3 May 2005 12:58:33 -0400
Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property "ViewStateUserKey" to the System.Web.UI.Page class in .NET Framework 1.1. The documentation for this property is here: http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuipageclassviewstateuserkeytopic.asp Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed into this property. As we all know, this is exactly the sort of detail that developers often forget or flub, with disastrous results. --Tim Farley SPI Dynamics Start Secure. Stay Secure. Security Assurance Throughout the Application Lifecycle.
Current thread:
- ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 03)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks H D Moore (May 05)
- <Possible follow-ups>
- RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Tim Farley (May 05)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 05)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 06)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Anton Ivanov (May 12)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 06)