From: H D Moore (sflist@digitaloffense.net)
Date: Fri Jan 13 2006 - 00:28:19 EST
The ViewState has a 'MAC' appended to the end by default. If you modify
the ViewState with ViewStateMac enabled (default in web.xml), the .NET
layer will mark it as invalid and the error handler will be invoked. This
MAC is either a MD5 or SHA-1 hash of the ViewState data plus a secret key
generated automatically by the web server. There are a few applications
out there that let you examine the structure of a ViewState (think of a
tree of name/value pairs), but 'spoofing' it requires some crypto
hackery. There are some exceptions:
1) If ViewStateMac is disabled, you can do some really evil things to the
backend application. What you can do depends on the app - disable the MAC
to find out :-) There used to be an overflow (pre-1.0 .NET)...
2) If you can force the application to place your data into the ViewState,
you can replay the MAC'd VS string for the life of the key. The VS has a
Page ID embedded within it, this should prevent that VS from being valid
on any other pages, however in 1.0 it was not enforced (IIRC), not sure
about 1.1 or whatever the latest version is.
3) If you break into the .NET server, you can hardcode the encryption key
and view state key inside web.xml - if you modify the default web.xml
file (somewhere in System32?), its a fairly evil backdoor that can let
you bypass authentication (depends of course, on the app).
You might find the following (old) tool useful:
http://metasploit.com/users/hdm/tools/dnascan.pl.gz
-HD
On Thursday 12 January 2006 16:36, Keith Hanson wrote:
> Was wondering if there's any .NET developers/Pen-Testers out there who
> might know how to do this. I'm currently attempting to override the
> viewstate of a .NET application with my own viewstate, and get the
> application to auto-fill in the values using the Viewstate. I've used
> JavaScript to set the value of the hidden field __VIEWSTATE with my
> own, and then submitted the form, but to no avail. My test project is
> a pretty simple app, with a text box and a submit button.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT