Sunday, December 2, 2007

.NET ViewState vulnerable to manipulation exploits

This past week i had a chance to audit a customer who is using microsoft's viewstate. So what is ViewState and why is it vulnerable? Well, ViewState is an ASP.NET feature that allows you to persist form properties when a page posts back to itself. ASP.NET takes the current state of all form controls and stores them as an encoded string in a hidden form field. The risk of View State is that an attacker might be able to view or modify these form values to accomplish a variety of attacks. So, the question is how do you modify and view the values in ViewState? To do so, you can download PortSwigger's latest burp proxy to accomplish the task of neccessary manipulation. View State appears in the HTML source as a hidden form field and it is using base64 encoding.

The latest version of burp proxy allows you to decode ViewState's base64 algorithm and view the clear contents inside, or you can also download ViewState decoder from Fritz Onion to ONLY view the contents inside. Check out the both links below:

Because the customer is using some sort of VPN, i was unable to use PortSwigger's burp proxy for what ever reason. However, i managed to decode the ViewState using Viewstate Decoder.

To prevent attackers from manipulating View State, you can include a message authentication code (MAC). A MAC is essentially a hash of the data that ensures its integrity. You can enable the View State MAC on the machine, application, or page level. You can enable the MAC wherever you enable View State with this attribute:

To truly make sure ViewState is secured, you will need to encrypt the data with ViewStateEncryptionMode property set to true. This will prevent attackers from decoding and viewing data inside viewstate. To read more about ViewState security, check out the msdn link below:

The Hacka Man