asp.net viewstat Tampering Vulnerabilities
Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering Vulnerabilities
Published: 2010-02-08 Version: 1.1
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
These vulnerabilities show that unsigned client-side view
states will ALWAYS result in a vulnerability in the affected
products.
Credit: David Byrne of Trustwave's SpiderLabs
===============================================
Vendor: Microsoft (http://www.microsoft.com)
Product: ASP.Net (http://www.asp.net)
Versions affected: .Net 3.5 is confirmed vulnerable;
previous versions are likely to be vulnerable as well.
Description:
ASP.Net is a web-application development framework that
provides for both user interfaces, and back-end
functionality.
The ASP.Net view state is typically stored in a hidden field
named "__VIEWSTATE". When a page's view state is not
cryptographically signed, many standard .Net controls are
vulnerable to Cross-Site Scripting (XSS) through the view
state.
It is well documented that using an unsigned view state is
"bad", but most previous advisories focus on vaguely
described threats or vulnerabilities introduced by custom
use of the view state. To the best of Trustwave's knowledge,
this is the first time a proof of concept attack of this
nature has been demonstrated against the view state. A
vulnerability was alluded to in a 2004 Microsoft article on
troubleshooting view state problems [1]. However, other
Microsoft documents recommend disabling view state signing
"if performance is a ke
Ïà¹ØÎĵµ£º
£¨±¸×¢£ºÎÄÖкìÉ«×ÖÌåÊÇÎÒÔÚÔÎĵĻù´¡ÉÏÌí¼ÓµÄ½âÊÍ˵Ã÷£©
΢ÈíµÄʵÀý½Ì²ÄÖн²ÁËÈýÖÖÓïÑÔ£ºc#¡¢vb ¡¢Jscript£¬ÎªÁËÈôó¼Ò¹ýÒ»°Ñж«Î÷ñ«£¬ÎÒÃÇ»¹ÊÇѧc#°É¡£Õâ¸ö×îºÃÓÐÒ»µãc++»ù´¡¡£
²»¹ýûÓÐҲûÓйØϵ£¬´ó²»Á˶à·ÑµãÁ¦ÁË¡£
ÈκÎÒ»ÃÅÓ ......
ÔÚWebÓ¦ÓóÌÐòÉÏÏÂÎÄÖУ¬ASP.NETÒ³Ãæ»áÔÚµÚÒ»´Î±»ÇëÇóʱ£¬°´Ðè±»¶¯Ì¬±àÒë¡£¶¯Ì¬±àÒë²¢²»ÊÇASP.NETÒ³Ãæ(.aspxÎļþ)ÌØÓеģ¬
»¹·¢ÉúÔÚ.NET
Web·þÎñ(.asmxÎļþ)¡¢WebÓû§¿Ø¼þ(.ascxÎļþ)¡¢HTTP´¦Àí³ÌÐò(.ashxÎļþ)£¬ÒÔ¼°ÆäËû¼¸ÖÖASP.NETÓ¦ÓóÌÐòÎļþ(Èç
global.asaxÎļþ)ÉíÉÏ¡£ÔËÐÐʱ¹ÜµÀÄ£Ð͸ºÔð´¦ÀíÊäÈëµÄ(incoming)HTTPÊ ......
UrlScanµÄ3.1ÊÇÒ»¸ö°²È«µÄ¹¤¾ß£¬ÏÞÖÆÁËIISµÄHTTPÇëÇ󽫴¦ÀíÀàÐÍ¡£ ͨ¹ý×èÖ¹Ìض¨µÄHTTPÇëÇó£¬ÔÚURLScan 3.1°²È«¹¤¾ßÓÐÖúÓÚ·ÀÖ¹¶Ô·þÎñÆ÷Ó¦ÓóÌÐò¿ÉÄÜÓꦵÄÇëÇó¡£ UrlScanµÄ3.1ÊÇURLScan 2.5µÄ¸üа汾¡£Ö§³ÖIIS 5.1ÖУ¬IIS 6.0ºÍIIS 7.0ÔÚWindows VistaºÍWindows Server 2008¡£ÏÂÔصØÖ·http://download.csdn.net ......
±¾ÎÄÎÒÃǽ«ÌÖÂÛµÄÊÇASP.NETÒ³Ãæ¼äÊý¾Ý´«µÝµÄ¼¸ÖÖ·½·¨£¬¶Ô´ËÏ£ÍûÄÜ°ïÖú´ó¼ÒÕýÈ·µÄÀí½âASP.NETÒ³Ãæ¼äÊý¾Ý´«µÝµÄÓô¦ÒÔ¼°±ãÀûÐÔ¡£
0¡¢ÒýÑÔ
WebÒ³ÃæÊÇÎÞ״̬µÄ£¬ ·þÎñÆ÷¶Ôÿһ´ÎÇëÇó¶¼ÈÏΪÀ´×Ô²»Í¬Óû§£¬Òò´Ë£¬±äÁ¿µÄ״̬ÔÚÁ¬Ðø¶ÔͬһҳÃæµÄ¶à´ÎÇëÇóÖ®¼ä»òÔÚÒ³ÃæÌøתʱ²»»á±»±£Áô¡£ÔÚÓÃASP.NET Éè¼Æ¿ª·¢Ò»¸öWebϵͳʱ£¬ Óöµ ......