Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Viewstatedecoder usage

From: "Chris Weber" <chris () casabasecurity com>
Date: Thu, 12 Aug 2010 19:58:47 -0700
You could potentially get an XSS attack through the javascript being
returned herein.  E.g. the referenced 'OnClick' event.

<String>return ValidateLogin();</String>

You're typically concerned about three issues with VIEWSTATE:

1. Information disclosure
2. Tampering 
3. XSS

For some automated analysis of VIEWSTATE, check out the Watcher passive vuln
scanner:  http://websecuritytool.codeplex.com/

-CWeb




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Raja
Sent: Tuesday, August 10, 2010 9:12 PM
To: pen-test () securityfocus com
Subject: Viewstatedecoder usage

Hi,

Does anybody know how to use Viewstatedecoder?

I dont understand how to use viewstatedecoder output.

For example:

If i give below string as an input:
/wEPDwUKLTM5MzgzMzAyMw9kFgICAQ9kFgQCCA8PZBYCHgdPbkNsaWNrBRdyZXR1cm4gVmFsaWRh
dGVMb2dpbigpO2QCCg8WAh4Fc3R5bGUFC0RJU1BMQVk6Jyc7ZBgBBR5fX0NvbnRyb2xzUmVxdWly
ZVBvc3RCYWNrS2V5X18WAQUKY2hrUmVtZWJlcsqpQglfgYd3pgCO3mYCpLrYijgN

I got the following output:

<?xml version="1.0" encoding="utf-16"?>
<viewstate>
<Pair>
<Pair>
<String>-393833023</String>
<Pair>
<ArrayList>
<Int32>1</Int32>
<Pair>
<ArrayList>
<Int32>8</Int32>
<Pair>
<Pair>
<ArrayList>
<IndexedString>OnClick</IndexedString>
<String>return ValidateLogin();</String> </ArrayList> </Pair> </Pair>
<Int32>10</Int32> <Pair> <ArrayList> <IndexedString>style</IndexedString>
<String>DISPLAY:'';</String>
</ArrayList>
</Pair>
</ArrayList>
</Pair>
</ArrayList>
</Pair>
</Pair>
</Pair>
</viewstate>


What do i understand from this? how can this be used in Web Penetration
testing?

Thanks,
Raja


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: