from: trustwave advisories · from: trustwave advisories sent: tuesday, february 9th 2010 23:41...
TRANSCRIPT
![Page 1: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/1.jpg)
![Page 2: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/2.jpg)
![Page 3: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/3.jpg)
From: Trustwave Advisories
Sent: Tuesday, February 9th 2010 23:41
...SpiderLabs has documented view state tampering
vulnerabilities ... View states are used by some
web application frameworks to store the state of
HTML GUI controls. View states are typically
stored in hidden client-side input fields,
although server-side storage is widely supported.
Credit: David Byrne of Trustwave's SpiderLabs
![Page 4: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/4.jpg)
Executive Summary
... An attacker who successfully exploited this
vulnerability could read data, such as the view
state, which was encrypted by the server. This
vulnerability can also be used for data tampering,
which, if successfully exploited, could be used to
decrypt and tamper with the data encrypted by the
server.
Microsoft .NET Framework versions prior to Microsoft
.NET Framework 3.5 Service Pack 1 are not affected
by the file content disclosure portion of this
vulnerability.
![Page 6: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/6.jpg)
<script runat="server">
protected void Page_Load(object sender, Event...
if (!IsPostBack) {
myLabel.Text = "Here you can download...
}
}
</script>
<asp:Content runat="server" ContentPlaceHolderID...
<asp:Label ID="myLabel" runat="server">
</asp:Label>
![Page 7: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/7.jpg)
<form name="aspnetForm" method="post" id="asp...
<input type="hidden" name="__VIEWSTATE“ id="__V...
value="/wEP0aWpA45OkQLP9+4sT2...YW1lcw=" />
...
Download tool</span></h1>
</div>
...
<div class="entry">
<span id="ctl00_plhContent_myLabel">
Here you can download everything you wan...
</span>
![Page 8: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/8.jpg)
...
<input type="hidden" name="__VIEWSTATE“ id="__V...
value="/wEP0aWpA45OkQLP9+4sT2...YW1lcw=" />
![Page 9: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/9.jpg)
![Page 10: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/10.jpg)
![Page 11: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/11.jpg)
![Page 12: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/12.jpg)
![Page 13: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/13.jpg)
![Page 14: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/14.jpg)
![Page 15: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/15.jpg)
__VIEWSTATE
Text InnerHTML
![Page 16: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/16.jpg)
![Page 17: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/17.jpg)
![Page 18: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/18.jpg)
![Page 19: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/19.jpg)
![Page 20: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/20.jpg)
![Page 21: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/21.jpg)
<form id="Form1" method="GET" runAt="server,...
<label for="inpSearch">Search: </label>
<input value='<%=Request.QueryString["search"]%>'
type='text' id='search' name='search'>
<input type="submit" />
</form>
![Page 22: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/22.jpg)
internal static bool IsDangerousString(…) {
…
char ch = s[num2];
if (ch != '&') {
if ((ch == '<') && ((IsAtoZ(s[num2 + 1]) ||
(s[num2 + 1] == '!')) || ((s[num2 + 1] == '/')
|| (s[num2 + 1] == '?'))))
return true;
}
else if (s[num2 + 1] == '#')
return true;
![Page 23: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/23.jpg)
![Page 24: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/24.jpg)
![Page 25: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/25.jpg)
Server.HtmlEncode("<b>") => <b>
![Page 26: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/26.jpg)
![Page 27: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/27.jpg)
<form id="Form1" method="GET" runAt="server...
<label for="inpSearch">Search: </label>
<input value='<%=Server.HtmlEncode(
Request.QueryString["search"]) %>'
type='text' id='search' name='search'>
<input type="submit" />
</form>
![Page 28: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/28.jpg)
// Now in System.Net.WebUtility with .NET 4.0
public static unsafe void HtmlEncode(…) {
...
switch (ch) {
case '&': {
output.Write("&");
continue;
}
case '\'': {
output.Write("'");
continue;
}
case '"': …
case '<': …
case '>': …
…}
![Page 29: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/29.jpg)
![Page 30: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/30.jpg)
![Page 31: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/31.jpg)
![Page 32: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/32.jpg)
![Page 33: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/33.jpg)
![Page 34: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/34.jpg)
<!-- web.config file of DotNetNuke
latest version -->
<system.web>
<machineKey
validationKey="F60E6580AE5E29E10C
F592A687E87F1D09280611"
decryptionKey="8A3D693693DB497480
7AC0078A2564C1ED8A19121BCB342C"
decryption="3DES"
validation="SHA1"
/>
![Page 35: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/35.jpg)
![Page 36: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/36.jpg)
![Page 37: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/37.jpg)
![Page 38: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/38.jpg)
![Page 39: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/39.jpg)
![Page 40: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/40.jpg)
![Page 41: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/41.jpg)
![Page 42: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/42.jpg)
![Page 43: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/43.jpg)
![Page 44: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/44.jpg)
![Page 45: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/45.jpg)
![Page 46: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/46.jpg)
![Page 47: From: Trustwave Advisories · From: Trustwave Advisories Sent: Tuesday, February 9th 2010 23:41 ...SpiderLabs has documented view state tampering vulnerabilities ... View states are](https://reader030.vdocuments.us/reader030/viewer/2022040802/5e3cb00e6d13f8680a375713/html5/thumbnails/47.jpg)