Penetration Testing mailing list archives
Re: Spoofing .NET ViewState
From: "bryan allott" <homegrown () bryanallott net>
Date: Fri, 13 Jan 2006 10:43:20 +0200
my first guess is always the most obvious guess in that there's a small syntax error in the new __VIEWSTATE that the javascript overwrites such that the server can't parse it.. ? :) but re spoofing/tampering with __VIEWSTATE.. Setting server-side directives like: <%@Page EnableViewStateMAC=true %> -on the page <machineKey validation="3DES" /> -config file and then something a little more secure [if u want to share __VIEWSTATE between servers -*an aside*] <machineKey validation="SHA1" validationKey=" F3690E7A3143C185AB1089616A8B4D81FD55DD7A69EEAA3B32A6AE813ECEECD28DEA66A 23BEE42193729BD48595EBAFE2C2E765BE77E006330BC3B1392D7C73F" /> will a:) hash the viewstate before sending it to the client and check the hash coming back so u can't tamper with it b:) encrypt your __VIEWSTATE value so... there goes the *simple* chance of decoding it/changing it.----- Original Message ----- From: "Keith Hanson" <seraphimrhapsody () gmail com>
To: <pen-test () securityfocus com> Sent: Friday, January 13, 2006 12:36 AM Subject: Spoofing .NET ViewState Hi everyone, First time I posted to this, long-time lurker, so if I'm doing anything etiquettely incorrect, then please let me know ^_^. Was wondering if there's any .NET developers/Pen-Testers out there who might know how to do this. I'm currently attempting to override the viewstate of a .NET application with my own viewstate, and get the application to auto-fill in the values using the Viewstate. I've used JavaScript to set the value of the hidden field __VIEWSTATE with my own, and then submitted the form, but to no avail. My test project is a pretty simple app, with a text box and a submit button. I enter a value into the text box, hit submit, grab the new viewstate after submission (it, of course, successfully changes), then hard code that into a JavaScript function to overwrite the ViewState. The function will overwrite the viewstate and the do a form submission. On the next page load, I want it to read the viewstate and then, as far as I know, should populate the textfield using that viewstate. But for some reason... it doesn't? Does anyone have any input? Also, as a side question, how would I go about releasing an exploit to BugTraq with Proof-Of-Concept code and explanation of the issue? I've contacted the vendor, and even gave them the issue and code. It's been about 3 months ago, and I got no response after I gave them the information for a whole month. Two weeks after submission, I asked about it, and got no reply until two weeks later, I told them that I'd like to go ahead and publicly disclose the issue since there was no response from the company. I promptly got a response explaining that he thought I had been contacted (Not sure if this is all that true, given the lack of any response at all to my previous inquiries). What do you guys suggest I do given your previous experiences? Thanks, --Keith ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.17/228 - Release Date: 12-Jan-06 ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Spoofing .NET ViewState Keith Hanson (Jan 12)
- Re: Spoofing .NET ViewState H D Moore (Jan 13)
- Re: Spoofing .NET ViewState bryan allott (Jan 13)
- RE: Spoofing .NET ViewState Debasis Mohanty (Jan 15)
- Re: Spoofing .NET ViewState Ademar Gonzalez (Jan 15)
- RE: Spoofing .NET ViewState Debasis Mohanty (Jan 15)
- <Possible follow-ups>
- Re: Spoofing .NET ViewState Andrew (Jan 13)
- Re: Spoofing .NET ViewState Keith Hanson (Jan 13)