NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2010-08

RE: Viewstatedecoder usage

From: Chris Weber (chriscasabasecurity.com)
Date: Thu Aug 12 2010 - 21:58:47 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You could potentially get an XSS attack through the javascript being
returned herein. E.g. the referenced 'OnClick' event.

<String>return ValidateLogin();</String>

You're typically concerned about three issues with VIEWSTATE:

1. Information disclosure
2. Tampering
3. XSS

For some automated analysis of VIEWSTATE, check out the Watcher passive vuln
scanner: http://websecuritytool.codeplex.com/

-CWeb

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Raja
Sent: Tuesday, August 10, 2010 9:12 PM
To: pen-testsecurityfocus.com
Subject: Viewstatedecoder usage

Hi,

Does anybody know how to use Viewstatedecoder?

I dont understand how to use viewstatedecoder output.

For example:

If i give below string as an input:
/wEPDwUKLTM5MzgzMzAyMw9kFgICAQ9kFgQCCA8PZBYCHgdPbkNsaWNrBRdyZXR1cm4gVmFsaWRh
dGVMb2dpbigpO2QCCg8WAh4Fc3R5bGUFC0RJU1BMQVk6Jyc7ZBgBBR5fX0NvbnRyb2xzUmVxdWly
ZVBvc3RCYWNrS2V5X18WAQUKY2hrUmVtZWJlcsqpQglfgYd3pgCO3mYCpLrYijgN

I got the following output:

<?xml version="1.0" encoding="utf-16"?>
<viewstate>
<Pair>
<Pair>
<String>-393833023</String>
<Pair>
<ArrayList>
<Int32>1</Int32>
<Pair>
<ArrayList>
<Int32>8</Int32>
<Pair>
<Pair>
<ArrayList>
<IndexedString>OnClick</IndexedString>
<String>return ValidateLogin();</String> </ArrayList> </Pair> </Pair>
<Int32>10</Int32> <Pair> <ArrayList> <IndexedString>style</IndexedString>
<String>DISPLAY:'';</String>
</ArrayList>
</Pair>
</ArrayList>
</Pair>
</ArrayList>
</Pair>
</Pair>
</Pair>
</viewstate>

What do i understand from this? how can this be used in Web Penetration
testing?

Thanks,
Raja

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]