RE: Spoofing .NET ViewState (overview)

From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Fri Jan 13 2006 - 17:11:25 EST

• Next message: Evans, Arian: "RE: Spoofing .NET ViewState (MAC config details)"
• Previous message: Greg: "Windows XP - $65! Tons of Adobe, Microsoft, etc."
• Next in thread: Debasis Mohanty: "RE: Spoofing .NET ViewState (overview)"
• Reply: Debasis Mohanty: "RE: Spoofing .NET ViewState (overview)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

::On viewstate::

There are a lot of bad articles and mis-information on the www on
what viewstate is and how it works, and where the default files are,
so I definitely suggest you stick to MSDN::

> -----Original Message-----
> From: Keith Hanson [mailto:seraphimrhapsody@gmail.com]
>
> might know how to do this. I'm currently attempting to override the
> viewstate of a .NET application with my own viewstate, and get the
> application to auto-fill in the values using the Viewstate.

This is not possible client-side if page validation is on, unless you
can duplicate the applied hash.

> I enter a value into the text box, hit submit, grab the new viewstate
> after submission (it, of course, successfully changes), then hard code
> that into a JavaScript function to overwrite the ViewState. The
> function will overwrite the viewstate and the do a form submission.

Viewstate, starting in .NET 1.1, has an HMAC in the string enabled by
default, to prevent tampering.

> the next page load, I want it to read the viewstate and then, as far
> as I know, should populate the textfield using that viewstate. But for
> some reason... it doesn't?

That is not how Viewstate works. Keeping state on data values is handled
by *ASP.NET* by matching form variable names with specific controls, and
keeping track of that in the session. Though this is not infrequently
confused with Viewstate in www articles, particularly in early .NET articles.

Viewstate in simple is for storing the status of user interactions that
result in a filter/sort/order type property condition being set on
controls in a given page that cause postback, and is unique to a given page...

Now there *are* conditions you can abuse Viewstate including:

--.NET 1.0 no default validation

--Viewstate MAC disabled on .NET 1.1 or 2.0 (it is seen usually due to
performance issues, lack of understand of web farm requirements, etc.)

--Replay of Viewstate

--You know the Viewstate machinekey value

--You can control the viewstate machinekey value

I will add more details to HD's response to your email.

-ae

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Evans, Arian: "RE: Spoofing .NET ViewState (MAC config details)"
• Previous message: Greg: "Windows XP - $65! Tons of Adobe, Microsoft, etc."
• Next in thread: Debasis Mohanty: "RE: Spoofing .NET ViewState (overview)"
• Reply: Debasis Mohanty: "RE: Spoofing .NET ViewState (overview)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT