Re: Spoofing .NET ViewState

From: bryan allott (homegrown@bryanallott.net)
Date: Fri Jan 13 2006 - 03:43:20 EST


my first guess is always the most obvious guess in that there's a small
syntax error in the new __VIEWSTATE that the javascript overwrites such that
the server can't parse it.. ? :)

but re spoofing/tampering with __VIEWSTATE..

Setting server-side directives like:
<%@Page EnableViewStateMAC=true %> -on the page
<machineKey validation="3DES" /> -config file

and then something a little more secure [if u want to share __VIEWSTATE
between servers -*an aside*]
<machineKey validation="SHA1" validationKey="
F3690E7A3143C185AB1089616A8B4D81FD55DD7A69EEAA3B32A6AE813ECEECD28DEA66A
23BEE42193729BD48595EBAFE2C2E765BE77E006330BC3B1392D7C73F" />

will
a:) hash the viewstate before sending it to the client and check the hash
coming back so u can't tamper with it
b:) encrypt your __VIEWSTATE value so... there goes the *simple* chance of
decoding it/changing it.

----- Original Message -----
From: "Keith Hanson" <seraphimrhapsody@gmail.com>
To: <pen-test@securityfocus.com>
Sent: Friday, January 13, 2006 12:36 AM
Subject: Spoofing .NET ViewState

Hi everyone,
First time I posted to this, long-time lurker, so if I'm doing
anything etiquettely incorrect, then please let me know ^_^.

Was wondering if there's any .NET developers/Pen-Testers out there who
might know how to do this. I'm currently attempting to override the
viewstate of a .NET application with my own viewstate, and get the
application to auto-fill in the values using the Viewstate. I've used
JavaScript to set the value of the hidden field __VIEWSTATE with my
own, and then submitted the form, but to no avail. My test project is
a pretty simple app, with a text box and a submit button.

I enter a value into the text box, hit submit, grab the new viewstate
after submission (it, of course, successfully changes), then hard code
that into a JavaScript function to overwrite the ViewState. The
function will overwrite the viewstate and the do a form submission. On
the next page load, I want it to read the viewstate and then, as far
as I know, should populate the textfield using that viewstate. But for
some reason... it doesn't?

Does anyone have any input?

Also, as a side question, how would I go about releasing an exploit to
BugTraq with Proof-Of-Concept code and explanation of the issue? I've
contacted the vendor, and even gave them the issue and code. It's been
about 3 months ago, and I got no response after I gave them the
information for a whole month. Two weeks after submission, I asked
about it, and got no reply until two weeks later, I told them that I'd
like to go ahead and publicly disclose the issue since there was no
response from the company. I promptly got a response explaining that
he thought I had been contacted (Not sure if this is all that true,
given the lack of any response at all to my previous inquiries). What
do you guys suggest I do given your previous experiences?

Thanks,
--Keith

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers
do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.17/228 - Release Date: 12-Jan-06
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT