Penetration Testing mailing list archives
RE: Spoofing .NET ViewState
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Sat, 14 Jan 2006 01:35:11 +0530
Keith, There could be two reasons for your test to fail. Like as Moore has already mentioned, View State is tamper proof if MAC is enabled. Next is, are you not missing out the Content-Type header while POSTing the data? If you use the Fiddler http debugging tool this will be one of those small details you might notice as a difference between your programmatic POST and the browser POST, and is required for POST to work (especially incase of ASP.NET). In order to make this work and send the valid Viewstate value to the server, you will first need to request the form from the server, parse the Viewstate, and then POST the form back with all other details like Content-Type etc. Think about how web scrapping would work incase of fetching data from an asp.net page. Debasis Mohanty www.hackingspirits.com Ps: VIEWSTATE is a beautiful beast; that amazing datagrid stuffs still plays in mind ;) -----Original Message----- From: Keith Hanson [mailto:seraphimrhapsody () gmail com] Sent: Friday, January 13, 2006 4:06 AM To: pen-test () securityfocus com Subject: Spoofing .NET ViewState Hi everyone, First time I posted to this, long-time lurker, so if I'm doing anything etiquettely incorrect, then please let me know ^_^. Was wondering if there's any .NET developers/Pen-Testers out there who might know how to do this. I'm currently attempting to override the viewstate of a .NET application with my own viewstate, and get the application to auto-fill in the values using the Viewstate. I've used JavaScript to set the value of the hidden field __VIEWSTATE with my own, and then submitted the form, but to no avail. My test project is a pretty simple app, with a text box and a submit button. I enter a value into the text box, hit submit, grab the new viewstate after submission (it, of course, successfully changes), then hard code that into a JavaScript function to overwrite the ViewState. The function will overwrite the viewstate and the do a form submission. On the next page load, I want it to read the viewstate and then, as far as I know, should populate the textfield using that viewstate. But for some reason... it doesn't? Does anyone have any input? Also, as a side question, how would I go about releasing an exploit to BugTraq with Proof-Of-Concept code and explanation of the issue? I've contacted the vendor, and even gave them the issue and code. It's been about 3 months ago, and I got no response after I gave them the information for a whole month. Two weeks after submission, I asked about it, and got no reply until two weeks later, I told them that I'd like to go ahead and publicly disclose the issue since there was no response from the company. I promptly got a response explaining that he thought I had been contacted (Not sure if this is all that true, given the lack of any response at all to my previous inquiries). What do you guys suggest I do given your previous experiences? Thanks, --Keith ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Spoofing .NET ViewState Keith Hanson (Jan 12)
- Re: Spoofing .NET ViewState H D Moore (Jan 13)
- Re: Spoofing .NET ViewState bryan allott (Jan 13)
- RE: Spoofing .NET ViewState Debasis Mohanty (Jan 15)
- Re: Spoofing .NET ViewState Ademar Gonzalez (Jan 15)
- RE: Spoofing .NET ViewState Debasis Mohanty (Jan 15)
- <Possible follow-ups>
- Re: Spoofing .NET ViewState Andrew (Jan 13)
- Re: Spoofing .NET ViewState Keith Hanson (Jan 13)