RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks

From: Tim Farley (tfarley_at_spidynamics.com)
Date: 05/03/05

  • Next message: Martin Pitt: "[USN-113-1] libnet-ssleay-perl vulnerability"
    Date: Tue, 3 May 2005 12:58:33 -0400
    To: <bugtraq@securityfocus.com>
    
    

    Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property "ViewStateUserKey" to the System.Web.UI.Page class in .NET Framework 1.1. The documentation for this property is here:

    http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuipageclassviewstateuserkeytopic.asp

    Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed into this property. As we all know, this is exactly the sort of detail that developers often forget or flub, with disastrous results.

    --Tim Farley
      SPI Dynamics

    Start Secure. Stay Secure.
    Security Assurance Throughout the Application Lifecycle.


  • Next message: Martin Pitt: "[USN-113-1] libnet-ssleay-perl vulnerability"

    Relevant Pages

    • Re: [Full-disclosure] Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox v
      ... What do you guys think about these products for "secure" browsing / internet use? ... complex software like a browser inside a sandbox that restricted its ability ... developer, your application crashed because it didn't have the required ... it is the user's responsibility (i.e. its IT Security and Server ...
      (Full-Disclosure)
    • Re: Anybody have a chromebook? Can it run Debian?
      ... Google has some way of allowing developer ... Don't like Secure Boot? ... I mean, I'm willing to believe there are such attacks out there, but in ...
      (Debian-User)
    • Re: Are bad developer libraries the problem with M$ software?
      ... Rather than trying to take advantage of "secure libraries" on any given OS, ... developer of potential issues. ... And if designers of any language are going to ...
      (SecProg)
    • RE: Why open source software is more secure
      ... "He may look like an idiot and talk like an idiot but don't let that fool ... Why open source software is more secure ... Source developer have that the commercial developer does not also have? ...
      (Security-Basics)
    • Re: XP SP2 will break applications
      ... >> secure on the application developer under the guise that they are ... >> concerned about security. ... But when they write the code more secure, ... You as a developer are given the time until halfway this year to clean up ...
      (borland.public.delphi.non-technical)