Vigil@nce: Microsoft ASP.NET, Cross Site Scripting via ViewState
February 2010 by Vigil@nce
When ViewState are not signed by Microsoft ASP.NET, an attacker
can generate a Cross Site Scripting.
– Severity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 10/02/2010
IMPACTED PRODUCTS
– Microsoft .NET Framework
DESCRIPTION OF THE VULNERABILITY
An ASP page can use a hidden variable named __VIEWSTATE,
containing the state of a form, encoded in base64.
Some applications directly display data from the ViewState on the
web page returned to the client, without filtering them to ensure
they do not contain JavaScript code. In this case, and if the
ViewState is not signed, an attacker can therefore encode a
malicious script in base64, and then send it in the __VIEWSTATE
variable.
When ViewState are not signed by Microsoft ASP.NET, an attacker
can therefore generate a Cross Site Scripting.
CHARACTERISTICS
– Identifiers: TWSL2010-001, VIGILANCE-VUL-9439
– Url: http://vigilance.fr/vulnerability/Microsoft-ASP-NET-Cross-Site-Scripting-via-ViewState-9439