Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: "Tim Farley" <tfarley () spidynamics com>
Date: Tue, 3 May 2005 12:58:33 -0400

Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property "ViewStateUserKey" to the System.Web.UI.Page 
class in .NET Framework 1.1.  The documentation for this property is here:

http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuipageclassviewstateuserkeytopic.asp

Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed 
into this property.  As we all know, this is exactly the sort of detail that developers often forget or flub, with 
disastrous results.

--Tim Farley
  SPI Dynamics

Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]