https://stackoverflow.com/questions/21288299
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThe ViewStateUserKey value isn't normally included as part of the payload itself. Rather, it's a special modifier that is mixed with the payload when computing the cryptographic MAC (the gibberish at the end of the payload). But since MAC functions are not reversible, there's no way to deduce given a MAC what its ViewStateUserKey is.
Can I see the ViewStateUserKey in html source?
-
01-10-2022 - |
質問
In an asp.net webforms application using the 4.0 framework, we are setting the ViewStateUserKey to a unique value to thwart the cross-site request forgery vulnerability.
We recently failed a vulnerabilty test, because the tester said he could not "observe" the existence of this in the html source. I was hoping I could simply decode the ViewState and see the ViewStateUserKey, but alas, when I decode the view state (using the Fiddler2 ViewState inspector, or one of the online decoder sites such as http://ignatu.co.uk/ViewStateDecoder.aspx), I cannot see the ViewStateUserKey. I can see values in the viewstate, mixed with a bunch of gibberish, but the ViewStateUserKey itself seems to be encoded in the gibberish.
For example, here is the decoded viewstate (using Fiddler2 ViewState inspector) for a page with one DropDownList control with 4 values (Text1, Text2, Text3, Text4), you can see the values mixed in with the gibberish:
�-1665646599dfddddfText11gText22gText33gText44gddd?"H~E* =91��;��O!��;�O�B�g
Here is the same page, with the ViewStateUserKey set to the static value "cat" (I realize ViewStateUserKey is of no use when set to a static value).
�-1665646599dfddddfText11gText22gText33gText44gddd�Gpb����c��uy�l����F3��>�h�~
The gibberish at the end of the viewstate changed; it appears that the ViewStateUserKey is hidden in the gibberish. But is there any way to prove that to a vulnerability tester?
Note, if I set enableViewStateMAC to "false" (which of course one would never do in production), I get different gibberish, but I still cannot see the ViewStateUserKey in the html source.
解決
他のヒント
No,because ViewStateUserKey is is stored in cookie and validated with key in form, on submiting.
所属していません StackOverflow
