Dailydave mailing list archives

Re: XSS in viewstate

From: "I)ruid" <druid () caughq org>
Date: Fri, 19 Mar 2010 14:28:44 -0500

On Fri, 2010-02-19 at 12:20 -0800, David Byrne wrote:

The machine key does have to be manually set in a load balanced
environment, but I don't see that as being a problem. .Net supports
512-bit machine keys
(http://msdn.microsoft.com/en-us/library/ms998288.aspx), which is well
beyond brute-force attacks. That's such a large key space that I don't
think rotation is critical to maintain good security. If a way to
bypass the MAC is discovered, that would be huge news, but it seems to
be pretty solid for now.


Unless the key is somehow otherwise compromised, say stolen from the
backup or off-system key storage.  If you don't regularly rotate the
key, unauthorized access provided by a stolen key is perpetual.  Brute
force attack isn't the only threat the key faces.

-- 
I)ruid, C²ISSP
druid () caughq org
http://druid.caughq.org

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Chris Weber (Feb 19)
  - Re: XSS in viewstate dave (Feb 19)
    - Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate Raw Data (Feb 19)
  - Re: XSS in viewstate David Byrne (Feb 19)
    - Re: XSS in viewstate I)ruid (Mar 21)
- Re: XSS in viewstate David Byrne (Feb 19)
  - Re: XSS in viewstate Nicolas RUFF (Feb 21)