Dailydave mailing list archives
Re: XSS in viewstate
From: "Chris Weber" <chris () casabasecurity com>
Date: Fri, 19 Feb 2010 09:26:34 -0800
One important thing to note is that VIEWSTATE MAC protection is enabled by default. It's only when this protection is purposely disabled that tampering and this XSS vector become possible. You can detect when this protection has been disabled either through code review, or passively with dynamic testing which is what we'll be doing with the Watcher tool. -Chris -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of dave Sent: Friday, February 19, 2010 6:46 AM To: dailydave () lists immunityinc com Subject: [Dailydave] XSS in viewstate -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf This, on first glance, looks real to me. Does anyone have any comments on it? ViewState is pretty complex and fairly opaque. If I understand properly, MS does not publish the full specs to it? Maybe the Mono team found them somewhere? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkt+pCEACgkQtehAhL0ghepUJQCeMs9I2pnL3z4eYicYF44xaUgd T4gAnjD/aFU9Z2tWRHge7i4Ch48BS3Ph =w0qz -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Chris Weber (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Raw Data (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate I)ruid (Mar 21)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate Nicolas RUFF (Feb 21)
- Re: XSS in viewstate Chris Weber (Feb 19)