ViewStateUserKey: ViewStateMac Relationship

Posted by on November 26, 2013 · Comments Off on ViewStateUserKey: ViewStateMac Relationship
Filed under: Development, Security, Testing 

I apologize for the delay as I recently spoke about this at the SANS Pen Test Summit in Washington D.C. but haven't had a chance to put it into a blog. While I was doing some research for my presentation on hacking ASP.Net applications I came across something very interesting that sort of blew ...

Hidden Treasures: Not So Hidden

Posted by on April 5, 2013 · Comments Off on Hidden Treasures: Not So Hidden
Filed under: Development, Security, Testing 

For years now, I have run into developers that believe that just because a request can’t be seen, it is not vulnerable to flaws.  Wait, what are we talking about here?   What do you mean by a request that can’t be seen?  There are a few different ways that the user would not see a ...

Brute Force: An Inside Job

Posted by on March 20, 2013 · Comments Off on Brute Force: An Inside Job
Filed under: Development, Security, Testing 

As a developer, we are told all the time to protect against brute force attacks on the login screen by using a mechanism like account lockouts.  We even see this on our operating systems, when we attempt multiple incorrect logins, we get locked out.   Of course, as times have changed, so have some of the ...

Authorization: Bad Implementation

Posted by on January 3, 2013 · Comments Off on Authorization: Bad Implementation
Filed under: Development, Security, Testing 

A few years ago, I joined a development team and got a chance to poke around a little bit for security issues.  For a team that didn't think much about security, it didn't take long to identify some serious vulnerabilities.  One of those issues that I saw related to authorization for privileged areas of the ...

2012 in Review

Posted by on December 31, 2012 · Comments Off on 2012 in Review
Filed under: Development, Security, Testing 

Well here it is, 2012 is coming to an end and I thought I would wish everyone happy holidays, as well as mention some of the topics covered this year on my blog. The year started out with a few issues in the ASP.Net framework. We saw a Forms Authentication Bypass that ...

ViewState XSS: What’s the Deal?

Posted by on September 17, 2012 · Comments Off on ViewState XSS: What’s the Deal?
Filed under: Development, Security, Testing 

Many of my posts have discussed some of the protections that ASP.Net provides by default.  For example, Event Validation, ViewStateMac, and ViewStateUserKey.  So what happens when we are not using these protections?  Each of these have a different effect on what is possible from an attacker’s stand point so it is important to understand what ...

ASP.Net: Tampering with Event Validation – Part 2

Posted by on February 10, 2012 · 1 Comment
Filed under: Development, Security, Testing 

In part 1 of this series I demonstrated how to modify the values of a list box and access data I was not given access to by manipulating the view state and event validation parameters.  Remember, the key to this is that ViewStateMac must be disabled.  In this post, I will be demonstrating ...

ASP.Net Webforms CSRF Workflow

Posted by on February 7, 2012 · Comments Off on ASP.Net Webforms CSRF Workflow
Filed under: Security, Testing 

An important aspect of application security is the ability to verify whether or not vulnerabilities exist in the target application.  This task is usually outsourced to a company that specializes in penetration testing or vulnerability assessments.  Even if the task is performed internally, it is important that the testers have as much knowledge about vulnerabilities ...

« Previous Page