mailing list archives
Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: Anton Ivanov <arivanov () sigsegv cx>
Date: Thu, 12 May 2005 09:23:52 +0100
-----BEGIN PGP SIGNED MESSAGE-----
One more example.
It looks like someone already used this to rig his scores in the
Microsoft Security Professional competition.
Michal Zalewski wrote:
| I would also like to point all concerned to an excellent post about
| replay attacks on __VIEWSTATE; the post is by Scott Mitchell, the
| guy who authored the MSDN article I initially referred to :
| His article is aimed at developers; Scott explains the issue I
| reported in a way that makes it perhaps more clear why putting user
| ID, session ID, or other similar data in __VIEWSTATE is not a
| remedy by itself, and why reposting __VIEWSTATE is dangerous
| despite target script location checks.
| Cheers, /mz
La Châtelier's Law:
~ If some stress is brought to bear on a system in equilibrium,
the equilibrium is displaced in the direction which tends to undo the
effect of the stress.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----