AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Disabled ViewState MAC Validation

The attacker can tamper ViewState content resulting putting fraudulent values in WebForms components, changing the state or even Cross Site Scripting

Severity

High

Fix Cost

Low

Trust Level

High

ViewState is one of the most important aspects of ASP.NET WebForms applications. However, it is also one of the most confusing aspects. ViewState is a technique for storing changes in dynamic web pages during user interaction with the application server. Even though used with POST requests with right parameters being sent, a GET request can also carry a ViewState.

ViewState is stored in a hidden HTML value;

            
                               <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="..." />
            
            

The integrity of the data stored in ViewState is secured using a message authentication code in which a secret key is used to ensure that no attacker tampers with the VIEWSTATE data. The important thing is that the secrecy isn’t important but the integrity. In order to provide that integrity MAC shouldn’t be disabled. The below configuration disables message authentication code applied to the VIEWSTATE and allows attackers to tamper the viewstate data.

                         
<configuration>
<system.web>
<pages enableViewStateMac="False" />
</system.web>
</configuration>
            
            

The MAC can also be disabled in aspx pages individually;

            

<%@ Page EnableViewStateMac="false" %>

            
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!