From: Keith Hanson (seraphimrhapsody@gmail.com)
Date: Thu Jan 12 2006 - 17:36:14 EST
Hi everyone,
First time I posted to this, long-time lurker, so if I'm doing
anything etiquettely incorrect, then please let me know ^_^.
Was wondering if there's any .NET developers/Pen-Testers out there who
might know how to do this. I'm currently attempting to override the
viewstate of a .NET application with my own viewstate, and get the
application to auto-fill in the values using the Viewstate. I've used
JavaScript to set the value of the hidden field __VIEWSTATE with my
own, and then submitted the form, but to no avail. My test project is
a pretty simple app, with a text box and a submit button.
I enter a value into the text box, hit submit, grab the new viewstate
after submission (it, of course, successfully changes), then hard code
that into a JavaScript function to overwrite the ViewState. The
function will overwrite the viewstate and the do a form submission. On
the next page load, I want it to read the viewstate and then, as far
as I know, should populate the textfield using that viewstate. But for
some reason... it doesn't?
Does anyone have any input?
Also, as a side question, how would I go about releasing an exploit to
BugTraq with Proof-Of-Concept code and explanation of the issue? I've
contacted the vendor, and even gave them the issue and code. It's been
about 3 months ago, and I got no response after I gave them the
information for a whole month. Two weeks after submission, I asked
about it, and got no reply until two weeks later, I told them that I'd
like to go ahead and publicly disclose the issue since there was no
response from the company. I promptly got a response explaining that
he thought I had been contacted (Not sure if this is all that true,
given the lack of any response at all to my previous inquiries). What
do you guys suggest I do given your previous experiences?
Thanks,
--Keith
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT