Dailydave mailing list archives
Re: XSS in viewstate
From: Raw Data <rawdataz () gmail com>
Date: Fri, 19 Feb 2010 18:45:53 +0000
Hi Dave, This problem has been hinted by MS since the release of .Net2.0, even my team was able to reproduce this a while ago, so I was a bit surprise when this advisory was released, as I thought this was already known.
From my point of view the problem here is not the tampering of
non-encrypted/signed Viewstate. The problem lies with applications that are load-balanced and using signed/encrypted Viewstate. When Viewstate is used on a single machine, the encryption key/signing MAC is managed internally and auto-generated. However, when it's being used on a web farm environment this key has to be shared between all servers, so it has to be set manually, and here lies the problem. Will everybody instruct their operations teams to change this on, let's say, a weekly basis? Worse even, now that Viewstate is on the spotlight, it's fairly easy to imagine that someone will write a tool to brute-force it or devise some easier way to break it. Remember that the MachineKey which is used to encrypt/sign the Viewstate has other functions besides this one (Forms authentication tickets and role cookies). Solutions? Cheers, RD On Fri, Feb 19, 2010 at 2:45 PM, dave <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf This, on first glance, looks real to me. Does anyone have any comments on it? ViewState is pretty complex and fairly opaque. If I understand properly, MS does not publish the full specs to it? Maybe the Mono team found them somewhere? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkt+pCEACgkQtehAhL0ghepUJQCeMs9I2pnL3z4eYicYF44xaUgd T4gAnjD/aFU9Z2tWRHge7i4Ch48BS3Ph =w0qz -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Chris Weber (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Raw Data (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate I)ruid (Mar 21)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate Nicolas RUFF (Feb 21)
- Re: XSS in viewstate Chris Weber (Feb 19)