Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks

From: Michal Zalewski (lcamtuf_at_gmail.com)
Date: 05/05/05

  • Next message: Exoduks: "[hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart"
    Date: Thu, 5 May 2005 22:06:21 +0200
    To: bugtraq@securityfocus.com
    
    

    > Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a
    > property "ViewStateUserKey" to the System.Web.UI.Page class in
    > .NET Framework 1.1. The documentation for this property is here:

    No, I think this statement is simply not true. The key is intended to
    solve a wholly different class of problems, and has nothing to do with
    replay attacks I reported.

    Reported issue 1-a: same user moves __VIEWSTATE from one page to
    another. Adding unique user identifier to __VIEWSTATE does not help,
    because in both cases, it's precisely the same user within the same
    system.

    Reported issue 1-b: same user retains __VIEWSTATE and reuses it at a
    later date. Again, it's precisely the same person and the same unique
    ID.

    Reported issue 1-c: this is the least relevant of all reported
    problems, and indeed can be in some situations mitigated by binding
    __VIEWSTATE data to a specific user.

    /mz


  • Next message: Exoduks: "[hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart"