Mixing cross-user data could
cause the application to behave in an insecure manner.
In .Net 2.0, ASP.Net added the _EVENTVALIDATION field as an additional form field.
This field was added to mitigate the attack where messages were posted to event handlers
that were listening but not displayed on the current user??™s page. For example, if a page
had a Delete User button that was only shown when an administrator viewed the page,
an attacker could still send postbacks to the button??™s event handler. In some cases,
depending on whether the application always performed proper access checks, the
acceptance of the event could cause a user to elevate privileges. The _EVENTVALIDATION
field prevents this by storing which event handlers are valid. The field is linked with the
viewstate by cross-references and an HMAC to prevent tampering.
Gaining Access to Sensitive Data by Decoding Viewstate
Popularity: 4
Simplicity: 7
Impact: 6
Risk Rating: 6
When attacking an ASP.Net application that uses viewstate, an attacker follows
a multistage approach. First, he uses Fritz Onion??™s Viewstate Decoder tool (www
.pluralsight.com/tools.aspx) to look for sensitive data within the viewstate.
Pages:
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256