Dailydave mailing list archives
Re: XSS in viewstate
From: "I)ruid" <druid () caughq org>
Date: Fri, 19 Mar 2010 14:28:44 -0500
On Fri, 2010-02-19 at 12:20 -0800, David Byrne wrote:
The machine key does have to be manually set in a load balanced environment, but I don't see that as being a problem. .Net supports 512-bit machine keys (http://msdn.microsoft.com/en-us/library/ms998288.aspx), which is well beyond brute-force attacks. That's such a large key space that I don't think rotation is critical to maintain good security. If a way to bypass the MAC is discovered, that would be huge news, but it seems to be pretty solid for now.
Unless the key is somehow otherwise compromised, say stolen from the backup or off-system key storage. If you don't regularly rotate the key, unauthorized access provided by a stolen key is perpetual. Brute force attack isn't the only threat the key faces. -- I)ruid, CĀ²ISSP druid () caughq org http://druid.caughq.org _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Chris Weber (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Raw Data (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate I)ruid (Mar 21)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate Nicolas RUFF (Feb 21)
- Re: XSS in viewstate Chris Weber (Feb 19)