Bugtraq mailing list archives
Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: Michal Zalewski <lcamtuf () gmail com>
Date: Thu, 5 May 2005 23:17:10 +0200
I would also like to point all concerned to an excellent post about replay attacks on __VIEWSTATE; the post is by Scott Mitchell, the guy who authored the MSDN article I initially referred to [1]: http://scottonwriting.net/sowblog/posts/3747.aspx His article is aimed at developers; Scott explains the issue I reported in a way that makes it perhaps more clear why putting user ID, session ID, or other similar data in __VIEWSTATE is not a remedy by itself, and why reposting __VIEWSTATE is dangerous despite target script location checks. [1] http://msdn.microsoft.com/library/en-us/dnaspp/html/viewstate.asp Cheers, /mz
Current thread:
- ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 03)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks H D Moore (May 05)
- <Possible follow-ups>
- RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Tim Farley (May 05)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 05)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 06)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Anton Ivanov (May 12)
- Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks Michal Zalewski (May 06)