|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: dave (dave
immunityinc.com)
Date: Fri Feb 19 2010 - 13:15:44 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We usually see MAC protection turned off on at least one page during an
assessment. Does this mean that you can always have XSS if MAC
protection is turned off? That would be pretty cool.
I'm not familiar with Expression Language, but the TrustWave advisory
indicates that things can be executed on the server as well. What's the
story there?
- -dave
( https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt )
Chris Weber wrote:
> One important thing to note is that VIEWSTATE MAC protection is enabled by default. It's only when this protection is purposely disabled that tampering and this XSS vector become possible. You can detect when this protection has been disabled either through code review, or passively with dynamic testing which is what we'll be doing with the Watcher tool.
>
> -Chris
>
>
> -----Original Message-----
> From: dailydave-bounceslists.immunitysec.com [mailto:dailydave-bounceslists.immunitysec.com] On Behalf Of dave
> Sent: Friday, February 19, 2010 6:46 AM
> To: dailydavelists.immunityinc.com
> Subject: [Dailydave] XSS in viewstate
>
> http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf
>
> This, on first glance, looks real to me. Does anyone have any comments
> on it? ViewState is pretty complex and fairly opaque. If I understand
> properly, MS does not publish the full specs to it? Maybe the Mono team
> found them somewhere?
>
> -dave
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkt+418ACgkQtehAhL0gheqD1wCfXQXEjvXeJhTaF+NfSpareeOo
D88AnjbySEoJBWp0NFvjuDw7aYndLeb8
=jZiY
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]