Dailydave mailing list archives
Re: XSS in viewstate
From: David Byrne <DByrne () trustwave com>
Date: Fri, 19 Feb 2010 13:15:25 -0600
This is very real. The Hacking Lab document is actually an (unattributed) cut and paste job from a larger advisory that we released earlier in the month. The topic was discussed in more detail at a BlackHat DC presentation. https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Byrne Microsoft doesn't fully document the view state format, but it isn't too hard to discover using tools like .Net Reflector (http://reflector.red-gate.com). There are several tools that will decode the view state; my favorite is ViewStateHacker (http://www.woany.co.uk/viewstatehacker/). Our advisory is about view state vulnerabilities in three different web app frameworks. Microsoft comes out pretty good because they secure the view state by default, but it's not that rare to find ASP.Net web apps with disabled view state security. The reason is usually lazy administration; load balanced environments are simpler when the view state security is disabled (what isn't easier without security). The only framework vulnerability that we could find in .Net was XSS. Of course, custom applications can have any type of vulnerability introduced. Apache MyFaces and Sun Mojarra were more serious. View state security is disabled by default and few sites use it. In addition to XSS, it's also possible to upload JSP Expression Language statements to the server. This allows an attacker to read any request, session, application, or server-scoped variable defined by the developer. It isn't unusual for sensitive data to be stored in server-side session variables, so it can be a useful attack. Thanks, David Byrne Senior Security Consultant Trustwave - SpiderLabs, Application Security Email: dbyrne () trustwave com Phone (office & cell): 720-279-4123 -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of dave Sent: Friday, February 19, 2010 7:46 AM To: dailydave () lists immunityinc com Subject: [Dailydave] XSS in viewstate -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf This, on first glance, looks real to me. Does anyone have any comments on it? ViewState is pretty complex and fairly opaque. If I understand properly, MS does not publish the full specs to it? Maybe the Mono team found them somewhere? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkt+pCEACgkQtehAhL0ghepUJQCeMs9I2pnL3z4eYicYF44xaUgd T4gAnjD/aFU9Z2tWRHge7i4Ch48BS3Ph =w0qz -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Chris Weber (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate dave (Feb 19)
- Re: XSS in viewstate Raw Data (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate I)ruid (Mar 21)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate David Byrne (Feb 19)
- Re: XSS in viewstate Nicolas RUFF (Feb 21)
- Re: XSS in viewstate Chris Weber (Feb 19)