Dailydave mailing list archives
Re: XSS in viewstate
From: David Byrne <DByrne () trustwave com>
Date: Fri, 19 Feb 2010 15:44:29 -0600
In theory, just about all pages will be vulnerable to XSS if MAC is turned off. In practice, it can be difficult to launch an attack. One problem is that pages won't use the client's view state if .Net decides it isn't fresh. Some pages may happen to be written so that the client-side state is never fresh. Again, in theory, it should be possible to add attributes to the views state to form an attack, but I've found it much easier to alter existing attributes, usually text or innerhtml values. ViewStateHacker is a great tool for view state analysis but it wasn't really intended for extensive client-side editing. That's what I use now, but it's a pain. Regarding Expression Language (EL), it only allows values to be read; you can't set anything. Injecting EL into JavaServer Faces view states makes it possible to read server-side session variables (and similarly scoped data). Thanks, David Byrne Senior Security Consultant Trustwave - SpiderLabs, Application Security -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of dave Sent: Friday, February 19, 2010 12:16 PM To: Chris Weber Cc: dailydave () lists immunityinc com Subject: Re: [Dailydave] XSS in viewstate -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We usually see MAC protection turned off on at least one page during an assessment. Does this mean that you can always have XSS if MAC protection is turned off? That would be pretty cool. I'm not familiar with Expression Language, but the TrustWave advisory indicates that things can be executed on the server as well. What's the story there? - -dave ( https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt ) Chris Weber wrote:
One important thing to note is that VIEWSTATE MAC protection is enabled by default. It's only when this protection is purposely disabled that tampering and this XSS vector become possible. You can detect when this protection has been disabled either through code review, or passively with dynamic testing which is what we'll be doing with the Watcher tool. -Chris -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of dave Sent: Friday, February 19, 2010 6:46 AM To: dailydave () lists immunityinc com Subject: [Dailydave] XSS in viewstate http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf This, on first glance, looks real to me. Does anyone have any comments on it? ViewState is pretty complex and fairly opaque. If I understand properly, MS does not publish the full specs to it? Maybe the Mono team found them somewhere? -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkt+418ACgkQtehAhL0gheqD1wCfXQXEjvXeJhTaF+NfSpareeOo D88AnjbySEoJBWp0NFvjuDw7aYndLeb8 =jZiY -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Chris Weber (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Raw Data (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate I)ruid (Mar 21)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate Nicolas RUFF (Feb 21)
- Re: XSS in viewstate Chris Weber (Feb 19)