AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Disabled Signature Validation

The attacker can tamper ViewState, Forms cookies content resulting putting fraudulent values in WebForms components, changing the state and forge requests

Severity

High

Fix Cost

Medium

Trust Level

High

ASP.NET verifies signature verification when it receives viewstate values, forms authentication cookies that it produces and sends to client before.

ViewState is one of the most important aspects of ASP.NET WebForms applications as with forms authentication cookies both for ASP.NET WebForms and MVC applications that should not be tampered and forged by the attackers.

This integrity verification can be disabled with a configuration directive below;

            
<appSettings>
<add key="aspnet:UseLegacyEncryption" value="true" />
</appSettings>
                
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!