Unencrypted view state in ASP.NET 2.0 could leak sensitive information

https://www.rapid7.com/db/vulnerabilities/http-asp-dot-net-unencrypted-viewstate

https://msdn.microsoft.com/en-us/library/ms972427.aspx

Because it's not formatted as clear text, folks sometimes assume that ViewState is encrypted—it's not. Instead, ViewState is merely base64-encoded to ensure that values are not altered during a roundtrip, regardless of the response/request encoding used by the application.

There are two levels of ViewState security you may wish to add to your application:

  • Tamper-proofing
  • Encryption

It's important to note that ViewState security has a direct effect on the time required to process and render an ASP.NET page. In short, more secure is slower, so don't add security to ViewState if you don't need it.

Tamper-Proofing  防止篡改

A hashcode will not secure the actual data within the ViewState field, but it will greatly reduce the likelihood of someone tampering with ViewState to try to spoof your application, that is, posting back values that your application would normally prevent a user from inputting.

You can instruct ASP.NET to append a hashcode to the ViewState field by setting the EnableViewStateMAC attribute:

<%@Page EnableViewStateMAC=true %>

EnableViewStateMAC can be set at the page or application level. Upon postback, ASP.NET will generate a hashcode for the ViewState data and compare it to the hashcode store in the posted value. If they don't match, the ViewState data will be discarded and the controls will revert to their original settings.

By default, ASP.NET generates the ViewState hashcode using the SHA1 algorithm. Alternatively, you can select the MD5 algorithm by setting <machineKey> in the machine.config file as follows:

<machineKey validation="MD5" />

Encryption  加密

You can use encryption to protect the actual data values within the ViewState field. First, you must set EnableViewStatMAC="true", as above. Then, set the machineKey validation type to 3DES. This instructs ASP.NET to encrypt the ViewState value using the Triple DES(Triple Data Encryption Algorithm三重数据加密算法) symmetric encryption algorithm.

<machineKey validation="3DES" />

ViewState Security on a Web Farm

By default, ASP.NET creates a random validation key and stores it in each server's Local Security Authority (LSA).

In order to validate a ViewState field created on another server, the validationKey for both servers must be set to the same value.

If you secure ViewState by any of the means listed above for an application running in a Web Farm configuration, you will need to provide a single, shared validation key for all of the servers.

The validation key is a string of 20 to 64 random, cryptographically-strong bytes, represented as 40 to 128 hexadecimal characters. Longer is more secure, so a 128-character key is recommended for machines that support it. For example:

<machineKey validation="SHA1" validationKey="
F3690E7A3143C185AB1089616A8B4D81FD55DD7A69EEAA3B32A6AE813ECEECD28DEA66A
23BEE42193729BD48595EBAFE2C2E765BE77E006330BC3B1392D7C73F" />

Summary

ASP.NET ViewState is a new kind of state service that developers can use to track UI state on a per-user basis.

There's nothing magical about it.

It simply takes an old Web programming trick—roundtripping state in a hidden form field—and bakes it right into the page-processing framework.

But the result is pretty wonderful—a lot less code to write and maintain in your Web-based forms.

You won't always need it, but when you do, I think you'll find ViewState is a satisfying addition to the feast of new features ASP.NET offers to page developers.

扩展阅读

Taking a Bite Out of ASP.NET ViewState

Understanding ASP.NET View State

How To: Configure MachineKey in ASP.NET 2.0

Making ViewState More Secure的更多相关文章

  1. 【转】ASP.NET ViewState详解

    (wyt今天学习了这篇文章,作为门外汉的我了解了很多页面控件数据加载的知识和viewstate的用法和原理.我想在日后的开发效率提升上会有很大的作用.) 转自http://www.cnblogs.co ...

  2. ASP.NET ViewState详解

    ASP.NET ViewState详解[转载] 作者:Infinities Loop 概述 ViewState是一个被误解很深的动物了.我希望通过此文章来澄清人们对ViewState的一些错误认识.为 ...

  3. 转:asp.net 中的viewstate

    概述 ViewState是一个被误解很深的动物了.我希望通过此文章来澄清人们对ViewState的一些错误认识.为了达到这个目的,我决定从头到尾详细的描述一下整个ViewState的工作机制,其中我会 ...

  4. session、cookie、viewstate

    session的用法 定义:保存在服务器内存的数据,sesson 只应该应用在需要跨页面且与每个访问用户相关的变量和对象存储上,session在默认情况下20分钟就过期,在页面之中最好不要过多使用,因 ...

  5. How to choose from Viewstate, SessionState, Cookies and Cache

    https://devshop.wordpress.com/2008/04/10/how-to-choose-from-viewstate-sessionstate-cookies-and-cache ...

  6. 【转载】viewState详解

    作者:Infinities Loop 概述 ViewState是一个被误解很深的动物了.我希望通过此文章来澄清人们对 ViewState的一些错误认识.为了达到这个目的,我决定从头到尾详细的描述一下整 ...

  7. viewState详解

    作者:Infinities Loop 概述 ViewState是一个被误解很深的动物了.我希望通过此文章来澄清人们对 ViewState的一些错误认识.为了达到这个目的,我决定从头到尾详细的描述一下整 ...

  8. Critical: Update Your Windows Secure Channel (cve-2014-6321,MS14-066)

    前言:风雨欲来山满楼,下半年开始各种凶猛的漏洞层出不穷,天下已经不太平,互联网已经进入一个新的台阶 0x01 cve-2014-6321 11月的补丁月,微软请windows的用户吃了顿大餐,发布了1 ...

  9. Webform:Application、ViewState对象的用法

    Application Application对象的作用范围是整个全局,也就是说对所有用户都有效.它在整个应用程序生命周期中都是有效的,类似于使用全局变量一样,所以可以在不同页面中对它进行存取.它和S ...

随机推荐

  1. 转:Oracle GoldenGate学习之Goldengate介绍

    转自:http://blog.sina.com.cn/s/blog_a32eff28010136d9.html 日志或归档日志获得数据的增删改变化,再将这些变化应用到目标数据库,实现源数据库与目标数据 ...

  2. ”危险“的RESTRICT与GCC的编译优化(编程者对编译器所做的一个“承诺”:使用restrict修饰过的指针,它所指向的内容只能经由该指针修改)

    restrict是C99标准中新添加的关键字,对于从C89标准开始起步学习C语言的同学来说(包括我),第一次看到restrict还是相当陌生的.Wikipedia给出的解释如下: In the C p ...

  3. 0x13 链表与邻接表

    这东西我还是有点会玩的啊.. 邻值查找这东西不就是维护个前驱后继嘛.. #include<cstdio> #include<iostream> #include<cstr ...

  4. DB-MySQL:MySQL NULL 值处理

    ylbtech-DB-MySQL:MySQL NULL 值处理 1.返回顶部 1. MySQL NULL 值处理 我们已经知道 MySQL 使用 SQL SELECT 命令及 WHERE 子句来读取数 ...

  5. js最简单的-点击小图放大

    js最简单的-点击小图放大 标签(空格分隔): js <html> <body> <img class="imgview" src="{$v ...

  6. 如何在maven项目中使用spring

    今天开始在maven项目下加入spring. 边学习边截图. 在这个过程中我新建了一个hellospring的项目.于是乎从这个项目出发开始研究如何在maven项目中使用spring.鉴于网上的学习资 ...

  7. vue中的事件修饰符

    vue提倡的是在方法中只有对数据的处理,所以提供了事件修饰符用于DOM的事件处理,常用的事件修饰符有以下几个: (1). stop:阻止冒泡(通俗讲就是阻止事件向上级DOM元素传递) 点击内层div的 ...

  8. app专项测试

    本节为大家讲述app的专项测试——客户端性能测试.这个我也做了蛮久的了.在这里修改了一下本篇随笔. 首先我们了解一下什么是客户端的性能测试.性能测试相比大家都已经耳熟能详了,这个app的客户端性能测试 ...

  9. mysql case when then 使用

    建表:create table hank (id int,name varchar(20)); 插入数据:insert into hank values(1,'A');insert into hank ...

  10. JS 限制input框的输入字数,并提示可输入字数

    <!DOCTYPE html> <html> <head lang="en"> <meta charset="UTF-8&quo ...