From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Fri Jan 13 2006 - 17:15:59 EST
inline; I removed parts of HD's post & added clarifications;
recommend reading HDs original post for his full quality ideas.
> -----Original Message-----
> From: H D Moore [mailto:sflist@digitaloffense.net]
>
> The ViewState has a 'MAC' appended to the end by default. If
> you modify the ViewState with ViewStateMac enabled (default in web.xml),
--ViewState enableViewStateMac is specified in both machine.config
and web.config (the first being more of a global config and the
latter allowing for application/VD specific configs and can be
nested hierarchically in app directories)
--enableViewStateMac defaults off in .NET 1.0
--enableViewStateMac defaults on in .NET 1.1 & 2.0, though I recall
MS official documentation states that it is off for 1.1
--you can also control enableViewStateMac=true/false at the page level
via directive (<%@Page enableViewStateMac='false' %>)
or script Page.EnableViewStateMac = false;
> the .NET layer will mark it as invalid and the error handler will be
> invoked. This MAC is either a MD5 or SHA-1 hash of the ViewState data plus
--If enableviewstatemac is on in the environment you are attempting to
submit your made-up viewstate, it will get dumped, in short...
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp
--The file machine.config, is located by default outside the published webroot in:
%systemroot%\Microsoft.NET\Framework\$version_number\CONFIG\machine.config
--SHA1 is the default hash, at least in .NET 1.1
--You can specify encryption of Viewstate as well; 3DES or AES
> 2) If you can force the application to place your data into
> the ViewState,
> you can replay the MAC'd VS string for the life of the key.
> The VS has a
> Page ID embedded within it, this should prevent that VS from
> being valid
> on any other pages, however in 1.0 it was not enforced
> (IIRC), not sure
> about 1.1 or whatever the latest version is.
> 3) If you break into the .NET server, you can hardcode the
> encryption key and view state key inside web.xml - if you
> modify the default web.xml file (somewhere in System32?)
--file is machine.config; see above
--Recommend double-check my statements on MSDN. I am
<!=$default_sleep_requirements at the moment,
-ae
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT