Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XSS in viewstate

From: David Byrne <DByrne () trustwave com>
Date: Fri, 19 Feb 2010 13:15:25 -0600
This is very real. The Hacking Lab document is actually an (unattributed) cut and paste job from a larger advisory that 
we released earlier in the month. The topic was discussed in more detail at a BlackHat DC presentation. 

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Byrne


Microsoft doesn't fully document the view state format, but it isn't too hard to discover using tools like .Net 
Reflector (http://reflector.red-gate.com). There are several tools that will decode the view state; my favorite is 
ViewStateHacker (http://www.woany.co.uk/viewstatehacker/). 

Our advisory is about view state vulnerabilities in three different web app frameworks. Microsoft comes out pretty good 
because they secure the view state by default, but it's not that rare to find ASP.Net web apps with disabled view state 
security. The reason is usually lazy administration; load balanced environments are simpler when the view state 
security is disabled (what isn't easier without security). The only framework vulnerability that we could find in .Net 
was XSS. Of course, custom applications can have any type of vulnerability introduced.

Apache MyFaces and Sun Mojarra were more serious. View state security is disabled by default and few sites use it. In 
addition to XSS, it's also possible to upload JSP Expression Language statements to the server. This allows an attacker 
to read any request, session, application, or server-scoped variable defined by the developer. It isn't unusual for 
sensitive data to be stored in server-side session variables, so it can be a useful attack.



Thanks,
David Byrne
Senior Security Consultant
Trustwave - SpiderLabs, Application Security

Email: dbyrne () trustwave com
Phone (office & cell): 720-279-4123





-----Original Message-----
From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of dave
Sent: Friday, February 19, 2010 7:46 AM
To: dailydave () lists immunityinc com
Subject: [Dailydave] XSS in viewstate

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf

This, on first glance, looks real to me. Does anyone have any comments
on it? ViewState is pretty complex and fairly opaque. If I understand
properly, MS does not publish the full specs to it? Maybe the Mono team
found them somewhere?

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkt+pCEACgkQtehAhL0ghepUJQCeMs9I2pnL3z4eYicYF44xaUgd
T4gAnjD/aFU9Z2tWRHge7i4Ch48BS3Ph
=w0qz
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: