How to exploit an asp.net web application if there is a viewstate without mac enabled

612 views
Skip to first unread message

akriti srivastava

unread,
Apr 3, 2014, 9:58:08 AM4/3/14
to null-...@googlegroups.com

Hi,
(a dumb question) I recently came across an asp.net 2.0 web application which had viewstate without mac enabled (my burpsuite scanner has shown this result). On decoding it I got a navigation url where that website was directing on clicking a submit button present in the web form. Is there any exploit (like disclosure of information or execution of malicious script)possible in such scenario? If possible then how?

Abeer Banerjee

unread,
Apr 3, 2014, 12:02:34 PM4/3/14
to null-...@googlegroups.com

Could people please avoid writing (dumb question) or (stupid question) as this is open community where you learn n contribute....nothing is dumb or stupid

Hi,
(a dumb question) I recently came across an asp.net 2.0 web application which had viewstate without mac enabled (my burpsuite scanner has shown this result). On decoding it I got a navigation url where that website was directing on clicking a submit button present in the web form. Is there any exploit (like disclosure of information or execution of malicious script)possible in such scenario? If possible then how?

--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Naresh Annangar

unread,
Apr 3, 2014, 12:16:20 PM4/3/14
to null-...@googlegroups.com
Hi Akriti,

By modifying the URL in the View State, you might be able to redirect the user to any page that you want to. Including a page containing malicious code.

As per OWASP Top 10 2013, I'd say the application is vulnerable to 'A10 - Unvalidated Redirects and Forwards'. I think it might also fall under 'A5 - Security Misconfiguration' as MAC was specifically disabled.

A Remote exploit(Making the server render a page with the View State's URL set to your custom URL) might not be possible. What you can do instead is load the page and then change the View State's content to what you want.

{\}


On Thu, Apr 3, 2014 at 7:28 PM, akriti srivastava <akriti.sri...@gmail.com> wrote:

Hi,
(a dumb question) I recently came across an asp.net 2.0 web application which had viewstate without mac enabled (my burpsuite scanner has shown this result). On decoding it I got a navigation url where that website was directing on clicking a submit button present in the web form. Is there any exploit (like disclosure of information or execution of malicious script)possible in such scenario? If possible then how?

--

akriti srivastava

unread,
Apr 7, 2014, 8:15:34 AM4/7/14
to null-...@googlegroups.com
Thanks, it was a great help . 
Reply all
Reply to author
Forward
0 new messages