Penetration Testing mailing list archives
Re: Spoofing .NET ViewState
From: Andrew <quickt () gmail com>
Date: Fri, 13 Jan 2006 14:41:18 +0800
You can try using proxies like BURP or Paros to intercept HTTP traffic and modify the _VIEWSTATE value on the fly. This is definately a faster method than what you are doing now. Viewstate Decoder may help you in your investigation also. You can prevent session fixation and hijacking by encrypting ViewState and setting the ViewStateUserKey though. As for reporting vulnerabilities, it may be good if you can give the vendor some time and try to work them to solve the issue. I know of some guys who will give the vendors reasonable deadlines before they release PoCs. This is because some bad guy is probably going to find it anyway and he could use it to launch 0-days against vulnerable systems. This will also help force uninterested vendors to react. Just my 2c. Andrew Chan ----- Original Message ----- From: "Keith Hanson" <seraphimrhapsody () gmail com> To: <pen-test () securityfocus com> Sent: Friday, January 13, 2006 6:36 AM Subject: Spoofing .NET ViewState
Hi everyone, First time I posted to this, long-time lurker, so if I'm doing anything etiquettely incorrect, then please let me know ^_^. Was wondering if there's any .NET developers/Pen-Testers out there who might know how to do this. I'm currently attempting to override the viewstate of a .NET application with my own viewstate, and get the application to auto-fill in the values using the Viewstate. I've used JavaScript to set the value of the hidden field __VIEWSTATE with my own, and then submitted the form, but to no avail. My test project is a pretty simple app, with a text box and a submit button. I enter a value into the text box, hit submit, grab the new viewstate after submission (it, of course, successfully changes), then hard code that into a JavaScript function to overwrite the ViewState. The function will overwrite the viewstate and the do a form submission. On the next page load, I want it to read the viewstate and then, as far as I know, should populate the textfield using that viewstate. But for some reason... it doesn't? Does anyone have any input? Also, as a side question, how would I go about releasing an exploit to BugTraq with Proof-Of-Concept code and explanation of the issue? I've contacted the vendor, and even gave them the issue and code. It's been about 3 months ago, and I got no response after I gave them the information for a whole month. Two weeks after submission, I asked about it, and got no reply until two weeks later, I told them that I'd like to go ahead and publicly disclose the issue since there was no response from the company. I promptly got a response explaining that he thought I had been contacted (Not sure if this is all that true, given the lack of any response at all to my previous inquiries). What do you guys suggest I do given your previous experiences? Thanks, --Keith ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Spoofing .NET ViewState Keith Hanson (Jan 12)
- Re: Spoofing .NET ViewState H D Moore (Jan 13)
- Re: Spoofing .NET ViewState bryan allott (Jan 13)
- RE: Spoofing .NET ViewState Debasis Mohanty (Jan 15)
- Re: Spoofing .NET ViewState Ademar Gonzalez (Jan 15)
- RE: Spoofing .NET ViewState Debasis Mohanty (Jan 15)
- <Possible follow-ups>
- Re: Spoofing .NET ViewState Andrew (Jan 13)
- Re: Spoofing .NET ViewState Keith Hanson (Jan 13)