Unencrypted view state in ASP.NET 2.0 could leak sensitive information

https://www.rapid7.com/db/vulnerabilities/http-asp-dot-net-unencrypted-viewstate

https://msdn.microsoft.com/en-us/library/ms972427.aspx

Because it's not formatted as clear text, folks sometimes assume that ViewState is encrypted—it's not. Instead, ViewState is merely base64-encoded to ensure that values are not altered during a roundtrip, regardless of the response/request encoding used by the application.

There are two levels of ViewState security you may wish to add to your application:

  • Tamper-proofing
  • Encryption

It's important to note that ViewState security has a direct effect on the time required to process and render an ASP.NET page. In short, more secure is slower, so don't add security to ViewState if you don't need it.

Tamper-Proofing  防止篡改

A hashcode will not secure the actual data within the ViewState field, but it will greatly reduce the likelihood of someone tampering with ViewState to try to spoof your application, that is, posting back values that your application would normally prevent a user from inputting.

You can instruct ASP.NET to append a hashcode to the ViewState field by setting the EnableViewStateMAC attribute:

<%@Page EnableViewStateMAC=true %>

EnableViewStateMAC can be set at the page or application level. Upon postback, ASP.NET will generate a hashcode for the ViewState data and compare it to the hashcode store in the posted value. If they don't match, the ViewState data will be discarded and the controls will revert to their original settings.

By default, ASP.NET generates the ViewState hashcode using the SHA1 algorithm. Alternatively, you can select the MD5 algorithm by setting <machineKey> in the machine.config file as follows:

<machineKey validation="MD5" />

Encryption  加密

You can use encryption to protect the actual data values within the ViewState field. First, you must set EnableViewStatMAC="true", as above. Then, set the machineKey validation type to 3DES. This instructs ASP.NET to encrypt the ViewState value using the Triple DES(Triple Data Encryption Algorithm三重数据加密算法) symmetric encryption algorithm.

<machineKey validation="3DES" />

ViewState Security on a Web Farm

By default, ASP.NET creates a random validation key and stores it in each server's Local Security Authority (LSA).

In order to validate a ViewState field created on another server, the validationKey for both servers must be set to the same value.

If you secure ViewState by any of the means listed above for an application running in a Web Farm configuration, you will need to provide a single, shared validation key for all of the servers.

The validation key is a string of 20 to 64 random, cryptographically-strong bytes, represented as 40 to 128 hexadecimal characters. Longer is more secure, so a 128-character key is recommended for machines that support it. For example:

<machineKey validation="SHA1" validationKey="
F3690E7A3143C185AB1089616A8B4D81FD55DD7A69EEAA3B32A6AE813ECEECD28DEA66A
23BEE42193729BD48595EBAFE2C2E765BE77E006330BC3B1392D7C73F" />

Summary

ASP.NET ViewState is a new kind of state service that developers can use to track UI state on a per-user basis.

There's nothing magical about it.

It simply takes an old Web programming trick—roundtripping state in a hidden form field—and bakes it right into the page-processing framework.

But the result is pretty wonderful—a lot less code to write and maintain in your Web-based forms.

You won't always need it, but when you do, I think you'll find ViewState is a satisfying addition to the feast of new features ASP.NET offers to page developers.

扩展阅读

Taking a Bite Out of ASP.NET ViewState

Understanding ASP.NET View State

How To: Configure MachineKey in ASP.NET 2.0

Making ViewState More Secure的更多相关文章

  1. 【转】ASP.NET ViewState详解

    (wyt今天学习了这篇文章,作为门外汉的我了解了很多页面控件数据加载的知识和viewstate的用法和原理.我想在日后的开发效率提升上会有很大的作用.) 转自http://www.cnblogs.co ...

  2. ASP.NET ViewState详解

    ASP.NET ViewState详解[转载] 作者:Infinities Loop 概述 ViewState是一个被误解很深的动物了.我希望通过此文章来澄清人们对ViewState的一些错误认识.为 ...

  3. 转:asp.net 中的viewstate

    概述 ViewState是一个被误解很深的动物了.我希望通过此文章来澄清人们对ViewState的一些错误认识.为了达到这个目的,我决定从头到尾详细的描述一下整个ViewState的工作机制,其中我会 ...

  4. session、cookie、viewstate

    session的用法 定义:保存在服务器内存的数据,sesson 只应该应用在需要跨页面且与每个访问用户相关的变量和对象存储上,session在默认情况下20分钟就过期,在页面之中最好不要过多使用,因 ...

  5. How to choose from Viewstate, SessionState, Cookies and Cache

    https://devshop.wordpress.com/2008/04/10/how-to-choose-from-viewstate-sessionstate-cookies-and-cache ...

  6. 【转载】viewState详解

    作者:Infinities Loop 概述 ViewState是一个被误解很深的动物了.我希望通过此文章来澄清人们对 ViewState的一些错误认识.为了达到这个目的,我决定从头到尾详细的描述一下整 ...

  7. viewState详解

    作者:Infinities Loop 概述 ViewState是一个被误解很深的动物了.我希望通过此文章来澄清人们对 ViewState的一些错误认识.为了达到这个目的,我决定从头到尾详细的描述一下整 ...

  8. Critical: Update Your Windows Secure Channel (cve-2014-6321,MS14-066)

    前言:风雨欲来山满楼,下半年开始各种凶猛的漏洞层出不穷,天下已经不太平,互联网已经进入一个新的台阶 0x01 cve-2014-6321 11月的补丁月,微软请windows的用户吃了顿大餐,发布了1 ...

  9. Webform:Application、ViewState对象的用法

    Application Application对象的作用范围是整个全局,也就是说对所有用户都有效.它在整个应用程序生命周期中都是有效的,类似于使用全局变量一样,所以可以在不同页面中对它进行存取.它和S ...

随机推荐

  1. java 用JNA调用dll 参考文档

    1  Java调用C语言动态库(JNA方式):回调函数.结构体数组传参.结构体数组返回 2jna结构体数组  JNA结构体数组 3JNA调用C语言动态链接库学习实践总结 4 Java 通过 JNA 调 ...

  2. idea使用技巧资料篇

    基本使用:https://my.oschina.net/lujianing/blog/177042#OSC_h1_2 解决idea卡顿问题:http://www.cnblogs.com/ae6623/ ...

  3. hdoj--1272--小希的迷宫(并查集)

    小希的迷宫 Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others) Total Subm ...

  4. go并发设计模式 --资源生成器模式

    1.简单的生成器 package main import ( "fmt" "math/rand" ) func GenerateIntA()chan int { ...

  5. Date.getTime() 结果为 NaN

    yyyy-MM-dd 格式的时间,部分浏览器环境下转换为 Date 对象后调用 getTime() 方法的结果为 NaN. 需要将 - 替换为 / var dateStr = '2019-01-01' ...

  6. IntelliJ Idea使用代码折叠

    VS风格: //region    xxxxxxxxxxxxxx ............. //endregion 快捷键: Ctrl+Shift+”+/-”,全部展开.折叠

  7. DDD中 与Dto搭配的AutoMapper插件,摘自《NET企业级应用架构设计》

    AutoMapper插件 实现了 DTO与Model的互相映射.

  8. 测试用html

    <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8" ...

  9. vuex存储和本地存储的区别

    1.实质的区别 vuex存的是状态,存储在内存,localstorage是浏览器提供的接口,让你存的是文件,以文件的形式存储在本地 2.应用场景 vuex用于组件之间的传值,localstorage则 ...

  10. CentOS 7 安装配置MySQL

    环境 CentOS Linux release 7.5.1804 (Core) MySQL:mysql80-community-release-el7-1 检查: 在centos7中默认的是maria ...