RE: Spoofing .NET ViewState

From: Debasis Mohanty (mail@hackingspirits.com)
Date: Fri Jan 13 2006 - 15:05:11 EST


Keith,

There could be two reasons for your test to fail. Like as Moore has already
mentioned, View State is tamper proof if MAC is enabled. Next is, are you
not missing out the Content-Type header while POSTing the data? If you use
the Fiddler http debugging tool this will be one of those small details you
might notice as a difference between your programmatic POST and the browser
POST, and is required for POST to work (especially incase of ASP.NET).

In order to make this work and send the valid Viewstate value to the server,
you will first need to request the form from the server, parse the
Viewstate, and then POST the form back with all other details like
Content-Type etc.

Think about how web scrapping would work incase of fetching data from an
asp.net page.

Debasis Mohanty
www.hackingspirits.com

Ps: VIEWSTATE is a beautiful beast; that amazing datagrid stuffs still plays
in mind ;)

-----Original Message-----
From: Keith Hanson [mailto:seraphimrhapsody@gmail.com]
Sent: Friday, January 13, 2006 4:06 AM
To: pen-test@securityfocus.com
Subject: Spoofing .NET ViewState

Hi everyone,
First time I posted to this, long-time lurker, so if I'm doing anything
etiquettely incorrect, then please let me know ^_^.

Was wondering if there's any .NET developers/Pen-Testers out there who might
know how to do this. I'm currently attempting to override the viewstate of a
.NET application with my own viewstate, and get the application to auto-fill
in the values using the Viewstate. I've used JavaScript to set the value of
the hidden field __VIEWSTATE with my own, and then submitted the form, but
to no avail. My test project is a pretty simple app, with a text box and a
submit button.

I enter a value into the text box, hit submit, grab the new viewstate after
submission (it, of course, successfully changes), then hard code that into a
JavaScript function to overwrite the ViewState. The function will overwrite
the viewstate and the do a form submission. On the next page load, I want it
to read the viewstate and then, as far as I know, should populate the
textfield using that viewstate. But for some reason... it doesn't?

Does anyone have any input?

Also, as a side question, how would I go about releasing an exploit to
BugTraq with Proof-Of-Concept code and explanation of the issue? I've
contacted the vendor, and even gave them the issue and code. It's been about
3 months ago, and I got no response after I gave them the information for a
whole month. Two weeks after submission, I asked about it, and got no reply
until two weeks later, I told them that I'd like to go ahead and publicly
disclose the issue since there was no response from the company. I promptly
got a response explaining that he thought I had been contacted (Not sure if
this is all that true, given the lack of any response at all to my previous
inquiries). What do you guys suggest I do given your previous experiences?

Thanks,
--Keith

----------------------------------------------------------------------------

--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT