|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Chris Weber (chris
casabasecurity.com)
Date: Fri Feb 19 2010 - 11:26:34 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
One important thing to note is that VIEWSTATE MAC protection is enabled by default. It's only when this protection is purposely disabled that tampering and this XSS vector become possible. You can detect when this protection has been disabled either through code review, or passively with dynamic testing which is what we'll be doing with the Watcher tool.
-Chris
-----Original Message-----
From: dailydave-bounceslists.immunitysec.com [mailto:dailydave-bounceslists.immunitysec.com] On Behalf Of dave
Sent: Friday, February 19, 2010 6:46 AM
To: dailydavelists.immunityinc.com
Subject: [Dailydave] XSS in viewstate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf
This, on first glance, looks real to me. Does anyone have any comments
on it? ViewState is pretty complex and fairly opaque. If I understand
properly, MS does not publish the full specs to it? Maybe the Mono team
found them somewhere?
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkt+pCEACgkQtehAhL0ghepUJQCeMs9I2pnL3z4eYicYF44xaUgd
T4gAnjD/aFU9Z2tWRHge7i4Ch48BS3Ph
=w0qz
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]