Penetration Testing mailing list archives
RE: Viewstatedecoder usage
From: "Chris Weber" <chris () casabasecurity com>
Date: Thu, 12 Aug 2010 19:58:47 -0700
You could potentially get an XSS attack through the javascript being returned herein. E.g. the referenced 'OnClick' event. <String>return ValidateLogin();</String> You're typically concerned about three issues with VIEWSTATE: 1. Information disclosure 2. Tampering 3. XSS For some automated analysis of VIEWSTATE, check out the Watcher passive vuln scanner: http://websecuritytool.codeplex.com/ -CWeb -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Raja Sent: Tuesday, August 10, 2010 9:12 PM To: pen-test () securityfocus com Subject: Viewstatedecoder usage Hi, Does anybody know how to use Viewstatedecoder? I dont understand how to use viewstatedecoder output. For example: If i give below string as an input: /wEPDwUKLTM5MzgzMzAyMw9kFgICAQ9kFgQCCA8PZBYCHgdPbkNsaWNrBRdyZXR1cm4gVmFsaWRh dGVMb2dpbigpO2QCCg8WAh4Fc3R5bGUFC0RJU1BMQVk6Jyc7ZBgBBR5fX0NvbnRyb2xzUmVxdWly ZVBvc3RCYWNrS2V5X18WAQUKY2hrUmVtZWJlcsqpQglfgYd3pgCO3mYCpLrYijgN I got the following output: <?xml version="1.0" encoding="utf-16"?> <viewstate> <Pair> <Pair> <String>-393833023</String> <Pair> <ArrayList> <Int32>1</Int32> <Pair> <ArrayList> <Int32>8</Int32> <Pair> <Pair> <ArrayList> <IndexedString>OnClick</IndexedString> <String>return ValidateLogin();</String> </ArrayList> </Pair> </Pair> <Int32>10</Int32> <Pair> <ArrayList> <IndexedString>style</IndexedString> <String>DISPLAY:'';</String> </ArrayList> </Pair> </ArrayList> </Pair> </ArrayList> </Pair> </Pair> </Pair> </viewstate> What do i understand from this? how can this be used in Web Penetration testing? Thanks, Raja ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Viewstatedecoder usage Raja (Aug 12)
- RE: Viewstatedecoder usage Chris Weber (Aug 13)