Re: Spoofing .NET ViewState

[Andrew <quickt () gmail com>]

You can try using proxies like BURP or Paros to intercept HTTP traffic and
modify the _VIEWSTATE value on the fly. This is definately a faster method
than what you are doing now. Viewstate Decoder may help you in your
investigation also. You can prevent session fixation and hijacking by
encrypting ViewState and setting the ViewStateUserKey though.

As for reporting vulnerabilities,  it may be good if you can give the vendor
some time and try to work them to solve the issue. I know of some guys who
will give the vendors reasonable deadlines before they release PoCs. This is
because some bad guy is probably going to find it anyway and he could use it
to launch 0-days against vulnerable systems. This will also help force
uninterested vendors to react.


Just my 2c.


Andrew Chan

----- Original Message -----
From: "Keith Hanson" <seraphimrhapsody () gmail com>
To: <pen-test () securityfocus com>
Sent: Friday, January 13, 2006 6:36 AM
Subject: Spoofing .NET ViewState


> Hi everyone,
> First time I posted to this, long-time lurker, so if I'm doing
> anything etiquettely incorrect, then please let me know ^_^.
>
> Was wondering if there's any .NET developers/Pen-Testers out there who
> might know how to do this. I'm currently attempting to override the
> viewstate of a .NET application with my own viewstate, and get the
> application to auto-fill in the values using the Viewstate. I've used
> JavaScript to set the value of the hidden field __VIEWSTATE with my
> own, and then submitted the form, but to no avail. My test project is
> a pretty simple app, with a text box and a submit button.
>
> I enter a value into the text box, hit submit, grab the new viewstate
> after submission (it, of course, successfully changes), then hard code
> that into a JavaScript function to overwrite the ViewState. The
> function will overwrite the viewstate and the do a form submission. On
> the next page load, I want it to read the viewstate and then, as far
> as I know, should populate the textfield using that viewstate. But for
> some reason... it doesn't?
>
> Does anyone have any input?
>
>
> Also, as a side question, how would I go about releasing an exploit to
> BugTraq with Proof-Of-Concept code and explanation of the issue? I've
> contacted the vendor, and even gave them the issue and code. It's been
> about 3 months ago, and I got no response after I gave them the
> information for a whole month. Two weeks after submission, I asked
> about it, and got no reply until two weeks later, I told them that I'd
> like to go ahead and publicly disclose the issue since there was no
> response from the company. I promptly got a response explaining that
> he thought I had been contacted (Not sure if this is all that true,
> given the lack of any response at all to my previous inquiries). What
> do you guys suggest I do given your previous experiences?
>
> Thanks,
> --Keith
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------