[38729] in bugtraq
RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
daemon@ATHENA.MIT.EDU (Tim Farley)
Thu May 5 15:06:45 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Tue, 3 May 2005 12:58:33 -0400
Message-ID: <F71BB5B89FB0384290F8085CFB84061E870062@mcbain.spidynamics.com>
From: "Tim Farley" <tfarley@spidynamics.com>
To: <bugtraq@securityfocus.com>
Cc: <lcamtuf@gmail.com>
Content-Transfer-Encoding: 8bit
Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property "ViewStateUserKey" to the System.Web.UI.Page class in .NET Framework 1.1. The documentation for this property is here:
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuipageclassviewstateuserkeytopic.asp
Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed into this property. As we all know, this is exactly the sort of detail that developers often forget or flub, with disastrous results.
--Tim Farley
SPI Dynamics
Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.
