Re: Spoofing .NET ViewState

[H D Moore <sflist () digitaloffense net>]

The ViewState has a 'MAC' appended to the end by default. If you modify 
the ViewState with ViewStateMac enabled (default in web.xml), the .NET 
layer will mark it as invalid and the error handler will be invoked. This 
MAC is either a MD5 or SHA-1 hash of the ViewState data plus a secret key 
generated automatically by the web server. There are a few applications 
out there that let you examine the structure of a ViewState (think of a 
tree of name/value pairs), but 'spoofing' it requires some crypto 
hackery. There are some exceptions:

1) If ViewStateMac is disabled, you can do some really evil things to the 
backend application. What you can do depends on the app - disable the MAC 
to find out :-) There used to be an overflow (pre-1.0 .NET)...

2) If you can force the application to place your data into the ViewState, 
you can replay the MAC'd VS string for the life of the key. The VS has a 
Page ID embedded within it, this should prevent that VS from being valid 
on any other pages, however in 1.0 it was not enforced (IIRC), not sure 
about 1.1 or whatever the latest version is.

3) If you break into the .NET server, you can hardcode the encryption key 
and view state key inside web.xml - if you modify the default web.xml 
file (somewhere in System32?), its a fairly evil backdoor that can let 
you bypass authentication (depends of course, on the app). 

You might find the following (old) tool useful:
http://metasploit.com/users/hdm/tools/dnascan.pl.gz

-HD

On Thursday 12 January 2006 16:36, Keith Hanson wrote:
> Was wondering if there's any .NET developers/Pen-Testers out there who
> might know how to do this. I'm currently attempting to override the
> viewstate of a .NET application with my own viewstate, and get the
> application to auto-fill in the values using the Viewstate. I've used
> JavaScript to set the value of the hidden field __VIEWSTATE with my
> own, and then submitted the form, but to no avail. My test project is
> a pretty simple app, with a text box and a submit button.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------