ASP.Net 1.1 Viewstate Security

2019-07-04 05:12发布

问题:

In ASP.Net 1.1 is it possible for the end user to change the viewdata before it's sent back to the server to for instance make it look like an item is selected in a dropdown that does not exist? I've tried manipulating the values in the dropdown using firebug but the server seems to ignore that, I'm presuming because the viewstate says that item does not exist, if however its possible to change the viewdata to achieve this then that could be more of a problem.

I'm asking because I've been asked to look over the security of one of our applications and if the above is possible there could be a big security gap.

Just to clarify I'm not asking how, I do not want to break someone elses software I just need to know if its something to be concerned about.

Hopefully this makes sense.

Thanks

回答1:

Yes, View State can be hacked. In ASP.NET 2.0 a feature was introduced which allowed one to Encrypt the View State and thus prevent these types of attacks.

Hacking View State for Fun & Profit details how to hack the view state of an application.