Comments on: Hacking ViewState for Fun and Profit http://www.cyphersec.com/archives/294 A blog about Web Application Security and .NET development best practices Thu, 21 Jan 2010 13:36:24 +0100 http://wordpress.org/?v=2.8.4 hourly 1 By: nTze http://www.cyphersec.com/archives/294/comment-page-1#comment-24049 nTze Wed, 11 Nov 2009 14:10:51 +0000 http://www.cyphersec.com/?p=294#comment-24049 Hi mxyzplk, I don't quite get it, if you are after protecting your web application and already had encrypted viewstate then there's not much to add. Perhaps you could also use the Health Monitoring that comes with ASP.NET 2.0 onwards in order to tailor an additional level of security. This is very specific to ViewState tho, in fact using ViewStateFailureAuditEvent will give you the chance to log and programmaticaly respond to such events. Hi mxyzplk,

I don’t quite get it, if you are after protecting your web application and already had encrypted viewstate then there’s not much to add.

Perhaps you could also use the Health Monitoring that comes with ASP.NET 2.0 onwards in order to tailor an additional level of security.

This is very specific to ViewState tho, in fact using ViewStateFailureAuditEvent will give you the chance to log and programmaticaly respond to such events.

]]> By: mxyzplk http://www.cyphersec.com/archives/294/comment-page-1#comment-24048 mxyzplk Wed, 11 Nov 2009 09:35:59 +0000 http://www.cyphersec.com/?p=294#comment-24048 dear nTze I have some project for my university to do some hacking stuff, and my university site is using this viewstate login, I already encrypt the source code and also the viewstate value, but I don't have any idea for the next step.. can you pls help me little for this? Regards dear nTze

I have some project for my university to do some hacking stuff, and my university site is using this viewstate login, I already encrypt the source code and also the viewstate value, but I don’t have any idea for the next step.. can you pls help me little for this?

Regards

]]> By: nTze http://www.cyphersec.com/archives/294/comment-page-1#comment-18231 nTze Wed, 11 Feb 2009 21:58:38 +0000 http://www.cyphersec.com/?p=294#comment-18231 Hello Karl! Yes few of them. Depending of the data you are storing keep your viewstate secured (ref: http://msdn.microsoft.com/en-us/library/aa479501.aspx). A first step would be encrypting it using a strong Validation (3DES for example). Also, from a development and performance prospective also be sure to make a proper use of the viewstate class using it only when it's needed. Mostly, .NET Controls have the property EnableViewState set to true by default. Remember; ViewState is something unsecure by default (it can be manipulated by the end user easily). For more secure date transmissions I would recommend using a bespoke implementation. Cheers! Hello Karl!

Yes few of them.
Depending of the data you are storing keep your viewstate secured (ref: http://msdn.microsoft.com/en-us/library/aa479501.aspx). A first step would be encrypting it using a strong Validation (3DES for example).

Also, from a development and performance prospective also be sure to make a proper use of the viewstate class using it only when it’s needed. Mostly, .NET Controls have the property EnableViewState set to true by default.

Remember; ViewState is something unsecure by default (it can be manipulated by the end user easily). For more secure date transmissions I would recommend using a bespoke implementation.

Cheers!

]]> By: Karl http://www.cyphersec.com/archives/294/comment-page-1#comment-18202 Karl Wed, 11 Feb 2009 02:25:49 +0000 http://www.cyphersec.com/?p=294#comment-18202 Hello my friend, well I have a question, 'cause I develop in Net and the view state is a good tool to retrieve data in my applications, do you have any recomendation?? Regards Karl Hello my friend, well I have a question, ’cause I develop in Net and the view state is a good tool to retrieve data in my applications,
do you have any recomendation??
Regards
Karl

]]>