from: trustwave advisories - owasp › › 20110412-aspnet... · from: trustwave advisories sent:...
TRANSCRIPT
![Page 1: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/1.jpg)
![Page 2: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/2.jpg)
![Page 3: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/3.jpg)
From: Trustwave Advisories
Sent: Tuesday, February 9th 2010 23:41
...SpiderLabs has documented view state tampering
vulnerabilities ... View states are used by some
web application frameworks to store the state of
HTML GUI controls. View states are typically
stored in hidden client-side input fields,
although server-side storage is widely supported.
Credit: David Byrne of Trustwave's SpiderLabs
![Page 4: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/4.jpg)
Executive Summary
... An attacker who successfully exploited this
vulnerability could read data, such as the view
state, which was encrypted by the server. This
vulnerability can also be used for data tampering,
which, if successfully exploited, could be used to
decrypt and tamper with the data encrypted by the
server.
Microsoft .NET Framework versions prior to Microsoft
.NET Framework 3.5 Service Pack 1 are not affected
by the file content disclosure portion of this
vulnerability.
![Page 6: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/6.jpg)
<script runat="server">
protected void Page_Load(object sender, Event...
if (!IsPostBack) {
myLabel.Text = "Here you can download...
}
}
</script>
<asp:Content runat="server" ContentPlaceHolderID...
<asp:Label ID="myLabel" runat="server">
</asp:Label>
![Page 7: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/7.jpg)
<form name="aspnetForm" method="post" id="asp...
<input type="hidden" name="__VIEWSTATE“ id="__V...
value="/wEP0aWpA45OkQLP9+4sT2...YW1lcw=" />
...
Download tool</span></h1>
</div>
...
<div class="entry">
<span id="ctl00_plhContent_myLabel">
Here you can download everything you wan...
</span>
![Page 8: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/8.jpg)
...
<input type="hidden" name="__VIEWSTATE“ id="__V...
value="/wEP0aWpA45OkQLP9+4sT2...YW1lcw=" />
![Page 9: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/9.jpg)
![Page 10: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/10.jpg)
![Page 11: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/11.jpg)
![Page 12: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/12.jpg)
![Page 13: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/13.jpg)
![Page 14: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/14.jpg)
![Page 15: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/15.jpg)
__VIEWSTATE
Text InnerHTML
![Page 16: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/16.jpg)
![Page 17: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/17.jpg)
![Page 18: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/18.jpg)
![Page 19: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/19.jpg)
![Page 20: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/20.jpg)
![Page 21: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/21.jpg)
<form id="Form1" method="GET" runAt="server,...
<label for="inpSearch">Search: </label>
<input value='<%=Request.QueryString["search"]%>'
type='text' id='search' name='search'>
<input type="submit" />
</form>
![Page 22: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/22.jpg)
internal static bool IsDangerousString(…) {
…
char ch = s[num2];
if (ch != '&') {
if ((ch == '<') && ((IsAtoZ(s[num2 + 1]) ||
(s[num2 + 1] == '!')) || ((s[num2 + 1] == '/')
|| (s[num2 + 1] == '?'))))
return true;
}
else if (s[num2 + 1] == '#')
return true;
![Page 23: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/23.jpg)
![Page 24: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/24.jpg)
![Page 25: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/25.jpg)
Server.HtmlEncode("<b>") => <b>
![Page 26: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/26.jpg)
![Page 27: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/27.jpg)
<form id="Form1" method="GET" runAt="server...
<label for="inpSearch">Search: </label>
<input value='<%=Server.HtmlEncode(
Request.QueryString["search"]) %>'
type='text' id='search' name='search'>
<input type="submit" />
</form>
![Page 28: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/28.jpg)
// Now in System.Net.WebUtility with .NET 4.0
public static unsafe void HtmlEncode(…) {
...
switch (ch) {
case '&': {
output.Write("&");
continue;
}
case '\'': {
output.Write("'");
continue;
}
case '"': …
case '<': …
case '>': …
…}
![Page 29: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/29.jpg)
![Page 30: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/30.jpg)
![Page 31: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/31.jpg)
![Page 32: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/32.jpg)
![Page 33: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/33.jpg)
![Page 34: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/34.jpg)
<!-- web.config file of DotNetNuke
latest version -->
<system.web>
<machineKey
validationKey="F60E6580AE5E29E10C
F592A687E87F1D09280611"
decryptionKey="8A3D693693DB497480
7AC0078A2564C1ED8A19121BCB342C"
decryption="3DES"
validation="SHA1"
/>
![Page 35: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/35.jpg)
![Page 36: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/36.jpg)
![Page 37: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/37.jpg)
![Page 38: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/38.jpg)
![Page 39: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/39.jpg)
![Page 40: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/40.jpg)
![Page 41: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/41.jpg)
![Page 42: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/42.jpg)
![Page 43: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/43.jpg)
![Page 44: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/44.jpg)
![Page 45: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/45.jpg)
![Page 46: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/46.jpg)
![Page 47: From: Trustwave Advisories - OWASP › › 20110412-aspnet... · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering](https://reader033.vdocument.in/reader033/viewer/2022060502/5f1bddadc3581e002212518e/html5/thumbnails/47.jpg)