inline; I removed parts of HD's post & added clarifications;
recommend reading HDs original post for his full quality ideas.
-----Original Message-----
From: H D Moore [mailto:sflist@digitaloffense.net]
The ViewState has a 'MAC' appended to the end by default. If
you modify the ViewState with ViewStateMac enabled (default in web.xml),
--ViewState enableViewStateMac is specified in both machine.config
and web.config (the first being more of a global config and the
latter allowing for application/VD specific configs and can be
nested hierarchically in app directories)
--enableViewStateMac defaults off in .NET 1.0
--enableViewStateMac defaults on in .NET 1.1 & 2.0, though I recall
MS official documentation states that it is off for 1.1
--you can also control enableViewStateMac=true/false at the page level
via directive (<%@Page enableViewStateMac='false' %>)
or script Page.EnableViewStateMac = false;
the .NET layer will mark it as invalid and the error handler will be
invoked. This MAC is either a MD5 or SHA-1 hash of the ViewState data plus
--If enableviewstatemac is on in the environment you are attempting to
submit your made-up viewstate, it will get dumped, in short...
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000007.asp
--The file machine.config, is located by default outside the published webroot
in:
%systemroot%\Microsoft.NET\Framework\$version_number\CONFIG\machine.config
--SHA1 is the default hash, at least in .NET 1.1
--You can specify encryption of Viewstate as well; 3DES or AES
2) If you can force the application to place your data into
the ViewState,
you can replay the MAC'd VS string for the life of the key.
The VS has a
Page ID embedded within it, this should prevent that VS from
being valid
on any other pages, however in 1.0 it was not enforced
(IIRC), not sure
about 1.1 or whatever the latest version is.
3) If you break into the .NET server, you can hardcode the
encryption key and view state key inside web.xml - if you
modify the default web.xml file (somewhere in System32?)
--file is machine.config; see above
--Recommend double-check my statements on MSDN. I am
<!=$default_sleep_requirements at the moment,
-ae
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
