config, or viewstate validation can be turned off
per page or machine-wide. Manually specifying a key has its drawbacks. The key must
be synchronized to all machines within the web farm. As with most key management
solutions, it can be difficult to change the key without disrupting users using the application.
To check whether viewstate integrity validation is disabled, simply modify the
_VIEWSTATE before submission. If the server accepts the viewstate without complaint,
then viewstate validation is likely disabled.
Chapter 5: .Net Security 129
In addition to signing, viewstate may also be optionally encrypted using Data
Encryption Standard (DES), Triple DES (3DES), or Advanced Encryption Standard (AES).
By default, ASP.Net will not encrypt viewstate. Encrypting the viewstate can help protect
against disclosure of sensitive data but Microsoft recommends avoiding encryption and
instead never placing sensitive data within the viewstate. Of course, we all know that
not all guidance is followed, so make sure to check that nothing sensitive is within the
viewstate. If the viewstate appears to be encrypted, then try saving the viewstate, logging
in as a different user, and submitting the saved viewstate.
Pages:
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255