RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: "Tim Farley" <tfarley@xxxxxxxxxxxxxxx>
Date: Tue, 3 May 2005 12:58:33 -0400
Cc: <lcamtuf@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcVQAVbWGLF0uAqkRS6qORdC/PwLlA==
Thread-topic: RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks

Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property 
"ViewStateUserKey" to the System.Web.UI.Page class in .NET Framework 1.1.  The 
documentation for this property is here:

http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuipageclassviewstateuserkeytopic.asp

Of course, it is up to the individual web page developer to ensure an 
appropriate non-trivial value has been placed into this property.  As we all 
know, this is exactly the sort of detail that developers often forget or flub, 
with disastrous results.

--Tim Farley
  SPI Dynamics

Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.

Prev by Date: Multiple vulnerabilities in myBloggie 2.1.1
Next by Date: Multiple Vulnerabilities In osTicket
Previous by thread: Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
Next by thread: Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
Index(es):
- Date
- Thread