Pages

Friday, January 27, 2012

VIEWSTATE Vulnerabilities


1. ViewState Overview
"View state is a method that the ASP.NET page framework uses to preserve page and control values between round trips. When the HTML markup for the page is rendered, the current state of the page and values that must be retained during postback are serialized into base64-encoded strings. This information is then put into the view state hidden field or fields."
MSDN

"What does ViewState do?
- Stores values per control by key name, like a Hashtable
- Tracks changes to a ViewState value's initial state
- Serializes and deserializes saved data into a hidden form field on the client
- Automatically restores ViewState data on postbacks"

From an article on the ViewState mechanisms by an ASP.NET developer


To put it even simplier, ViewState is a hidden HTML parameter that sends a current structure of page content to the server. Example of use: retaining form field values on the page for by-page list scrolling.

Though there are widely used methods of disabling or avoiding ViewState (usually, by means of a DBMS), this mechanism is built in ASP.NET by default and is often misused:

"Even more important than understanding what it does, is understanding what it does NOT do:
What doesn’t ViewState do?
- Automatically retain state of class variables (private, protected, or public)
- Remember any state information across page loads (only postbacks)
- Remove the need to repopulate data on every request
- ViewState is not responsible for the population of values that are posted such as by TextBox controls (although it does play an important role)"

From an article on the ViewState mechanisms by an ASP.NET developer

Obviously, such misuse entails more serious problems, such as a missing filtration or a perverted idea of how the web application should work properly.
Developers tend to believe that if ViewState is a serialized structure, moreover, a base64-encrypted one, no attacker will be able to get to its contents.

However, the truth is, if the encryption and the data integrity check (MAC) are disabled, accessing the content is much simplier than it seems. Let’s decode base64:
Pic. 1. Decoding VIEWSTATE by means of base64_decoder.

Then, open it in the Hex Editor. Now it is evident that any string variable is preceded by bytes that indicate the string’s length (the number of bites depends on the length of the string: a string less than 128 bytes will have one byte for a variable length).

Pic. 2. Spoofing content of the serialized structure.

Authoritative resources state that ASP.NET versions earlier than 2.0 use LosFormatter as a serialization/deserialization algorithm, while version 2.0 and later use ObjectStateFormatter. Thus, to change the variable, one needs to define the length of a new string, overwrite the string, overwrite the byte (bytes) with the string length, encode it back with base64 and insert into __VIEWSTATE.

Pic. 3. Spoofing content of the serialized structure.

2. Vulnerabilities and attacks
Combined with a low-level knowledge of an average specialist about a correct and secure configuration of web applications, such approach generates the following vulnerabilities and provides opportunities for the following attacks:
• Cross-Site Scripting (XSS)
• Content Spoofing
• SQL Injection
• Information Leakage
• Logical Attacks
• ViewState Vulnerabilities as such
• Other vulnerabilities

2.1. Cross-Site Scripting, Content Spoofing
The possibility of content spoofing for an HTML page comes out of ViewState main purpose, i.e. to preserve page and control values. If data from ViewState placed into the HTTP response body are not filtered properly, it results in Content Spoofing and/or Cross-Site Scripting.
Vulnerable configuration:
EnableViewStateMac=false
ViewStateEncryptionMode=never|auto
(Depends on RegisterRequiresViewStateEncryption)
ViewStateUserKey=EMPTY


2.2. Information Leakage, Logical Attacks
If developer does not encrypt the VIEWSTATE parameter (Securing View State), an attacker can decode the VIEWSTATE structure and extract confidential data. If developer does not check data integrity (MAC), an attacker can change parameters that can influence the web application logic, thus facilitating Authentication Bypass, Authorization Bypass, and Abuse of Functionality.
Vulnerable configuration:
ViewStateEncryptionMode=never|auto
EnableViewStateMac=false|true


2.3. Attacks Against ViewState
The ViewState itself is also vulnerable to attacks. For example, September, 2010 saw a publication describing a vulnerability that allowed decrypting AES-encrypted ViewState by sending numerous requests to a server and tracking various error codes (http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx).
Besides, the earlier versions (1.0, 1.1) are vulnerable to the Denial Of Service (DoS) attacks (against unencrypted VIEWSTATE) and the Replay attacks (against encrypted VIEWSTATE). The latter one is an attack against a cryptographic protocol consisting in resending an intercepted package that will be received appropriately, thus breaking the algorithm. These attacks were described by Michal Zalewski as far as in 2005 (http://seclists.org/bugtraq/2005/May/27).

2.4. Other Vulnerabilities
All other vulnerabilities common for web applications, such as SQL injection, OS Commanding, as well as other vulnerabilities of such types as Code Exploitation, Information Disclosure, etc. can and should be checked both in variables of the ViewState structure and in ordinary variables sent by GET/POST/COOKIES.
Vulnerable configuration:
EnableViewStateMac=false
ViewStateEncryptionMode=never|auto
(depends on RegisterRequiresViewStateEncryption)


3. Protection

3.1. EnableViewStateMac
Default: TRUE
Since: 1.0

Enables MAC (Machine Authentication Check) to check the VIEWSTATE parameter values by means of a checksum.
Set the EnableViewStateMac property to "True" in the Page element.
Besides, the activation requires configuring the validationKey and validation properties of the machineKey element.
The following in-built encrypting algorithms are supported: SHA1, MD5, 3DES, AES, HMACSHA256, HMACSHA384, HMACSHA512.

3.2. ViewStateEncryptionMode
Default: Auto
Since: 2.0

Allows encrypting the VIEWSTATE parameter by any of the following algorithms: DES, 3DES, AES.
For activation, configure the decryptionKey and decryption properties of the machineKey element.

3.3. ViewStateUserKey
Default: EMPTY
Since: 1.1

Not everyone knows that ViewState protects not only itself against spoofing, but the entire application against CSRF by means of the ViewStateUserKey parameter.
ViewStateUserKey is just a protection mechanism. It is a developer’s duty to ensure its unpredictable and random nature.
Set the ViewStateUserKey property to "String" in the Page element.

4. Conclusion
Sections 2 and 3 provide sound evidence that, configured by default, ViewState is secured against vulnerabilities that are not 0-day. However, quite often developers, after having struggled with constantly appearing error notifications about integrity violation, faulty arguments, etc., end up disabling keys that provoke errors, thus leaving the application vulnerable to various attacks.
Yet, if the web application is properly configured, the probability of errors and even vulnerabilities can be minimized down to 0.

46 comments:

  1. well, i guess i found viewstate without mac enabled but no sign of xss or sql then wht should i do ?

    ReplyDelete
  2. Its nice blog with lot of information thanks for sharing keep doing it

    dot net training in chennai

    ReplyDelete
  3. Thanks for share the innovative message its very useful for us

    salesforce training in chennai

    ReplyDelete
  4. I am following your blog from the beginning, it was so distinct & I had a chance to collect conglomeration of information about view state that helps me a lot to improvise myself. I hope this will help many readers who are in need of this vital piece of information. Thanks for sharing & keep your blog updated.DOT NET Training in Chennai

    ReplyDelete
  5. Thanks for your wonderful post.It is really very helpful for us and I have gathered some important information from this blog.If anyone wants to get Dot Net Course in Chennai reach FITA, rated as No.1 Dot Net Training Institutes in Chennai.

    ReplyDelete
  6. FITA provideDot net training in Velachery; we are the leading training institute for professional studies. Dot Net is a software framework developed by Microsoft, If you get Dot Net training in our institution you can get a good knowledge in that domain.
    Best DOT NET Training institute in Chennai | Dot net training

    ReplyDelete

  7. Thanks for this valid information Actually Without website no one can run their business effectively through online, Good Web design helps to attract the user in good way, & it should be looking neat and very professional more about web design get here
    Web design courses in Chennai | Web design institutes in Chennai

    ReplyDelete
  8. Thanks of sharing this post…Python is the fastest growing language that helps to get your dream job in a best way, so if you wants to become a expertise in python get some training on that language.
    Regards,
    Python Training in Chennai|Python Course in Chennai|python training chennai

    ReplyDelete
  9. There are lots of information about latest technology, like Hadoop cluster is a special type of computational cluster designed specifically for storing and analyzing huge amounts of unstructured data in a distributed computing environment. This information seems to be more unique and interesting. Thanks for sharing.
    Big Data Training in Chennai | Hadoop Course in Chennai | Big Data Training in Chennai

    ReplyDelete
  10. Thanks of sharing this post…Python is the fastest growing language that helps to get your dream job in a developing area. It says every fundamental in a programming, so if you want to become a expertise in python get some training on that language.
    Regards,
    Python Training in Chennai|Python Training|python training chennai|Python Course in Chennai

    ReplyDelete
  11. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging…
    Regards,
    Angularjs training in chennai|Angularjs training chennai|Angularjs course in chennai|Angularjs training center in Chennai

    ReplyDelete
  12. Hi, I am really happy to found such a helpful and fascinating post that is written in well manner. Thanks for sharing such an informative post. keep update your blog.
    Regards.
    Big Data Training in Chennai

    ReplyDelete
  13. Thanks for your informative article and the blog. Your article is very useful for .net professionals and freshers looking for interview. Best DOT NET Training | Dot Net course in Chennai

    ReplyDelete
  14. Hi, actually I'am new to angularJs and infact I'am learning angularjs with online training. I'am having doubt, if you could solve the doubt for me that would be very helpful. The doubt is, how can I reset a “$timeout”, and disable a “$watch()”?
    Regards,
    angularjs training in Chennai|angularjs training|angularjs training Chennai

    ReplyDelete
  15. Many mistake HTML as a programming language but rather its a markup language and not progaramming language. HtML5 is the latest and technically most advanced version of HTML. To know more
    html5 training in chennai|html5 training chennai|html5 course in chennai|html5 training institutes in chennai|html5 training

    ReplyDelete
  16. Many mistake HTML as a programming language but rather its a markup language and not progaramming language. HtML5 is the latest and technically most advanced version of HTML. To know more
    html5 training in chennai|html5 training chennai|html5 course in chennai|html5 training institutes in chennai|html5 training

    ReplyDelete
  17. The main thing which i like about web designing is that itneeds creativity and we need to work differently acccording to our clients need this needs a creativity and innovation.
    web designing course in chennai|web designing training in chennai|web designing courses in chennai

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete
  19. After the website s completed it is very impoprtant to market it. Be it a brand or a website, if you want to reach a large audiece then effective marketive should done and this can be achieved by SEO.
    Seo training in chennai|Seo training|Seo courses in chennai|Seo training chennai

    ReplyDelete
  20. I appreciate the effort of the blogger. I have one small question which is related to html5. If you could help me out then it would be really helpful. How is the page structure in html5 is different from html4?
    html5 training in chennai|html5 course in chennai|html5 training institutes in chennai

    ReplyDelete
  21. I appreciate the effort of the blogger. I have one small question which is related to html5. If you could help me out then it would be really helpful. How is the page structure in html5 is different from html4?
    html5 training in chennai|html5 course in chennai|html5 training institutes in chennai

    ReplyDelete
  22. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging… Regards,
    SAS Training in Chennai

    ReplyDelete
  23. Hi author I actually teach web designing, and after I read this article I was able to clarify a doubt and this helped me understanding a certain concept better and so I could teach my students well. Thank you.
    web designing course in chennai|web designing training in chennai

    ReplyDelete
  24. This comment has been removed by the author.

    ReplyDelete
  25. It was really a wonderful article and I was really impressed by reading this blog.
    Digital Marketing Link Builder

    ReplyDelete
  26. If you are willing to develop a website but you dont know web development or coding then relax wordpress CMS platform is just for you. Where you can create website all by yourself.
    wordpress training in chennai | Wordpress course in chennai | FITA Academy reviews

    ReplyDelete
  27. Hi, actually I'am new to angularJs and infact I'am learning angularjs with online training. I'am having doubt, if you could solve the doubt for me that would be very helpful. The doubt is, how can I reset a “$timeout”, and disable a “$watch()”?
    Regards,
    angularjs training in Chennai|angularjs training|angularjs training Chennai

    ReplyDelete
  28. We are offering e-commerce web designs in affordable price...........

    ReplyDelete
  29. HTML5 is the fifth revision of html that is used for structuring and presenting the content. The core aim of html5 is to improve the language and support for the latest mutlimedia.
    HTML5 Training in Chennai

    ReplyDelete
  30. Phone calls can be composed so that the calling party calls alternate members and adds them to the call; be that as it may, members are generally ready to call into the telephone call themselves by dialing a phone number that interfaces with a "meeting extension" (a specific sort of hardware that connections phone lines).
    Telephone Conference Call

    ReplyDelete
  31. Now you can play in the success of each state's telephone application with amazing and affordable rates telephone applications

    ReplyDelete
  32. Hadoop is one of the best tool which is used to handle the big data in the IT industy and it is the fastest growing field in information technology.
    hadoop training in Chennai | hadoop training chennai

    ReplyDelete
  33. Excellent post!!!. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it.
    salesforce training in chennai | salesforce training institute in chennai

    ReplyDelete