ScriptResource error: am I being hacked?

2020-06-04 04:25发布

站内问答 / 后端开发
1925 1 3

I keep getting errors like this on one of my sites. It tends to happen randomly throughout the day any for periods in the night when I would not expect users on the site.

It is always from different ip addresses

System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at System.Web.UI.Page.DecryptString(String s)

or

System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed. at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo) at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at System.Web.UI.Page.DecryptString(String s)

They happen in this page:

 ScriptResource.axd?d=VVe1O4rzLSI9hB5nRzBXZxUYTQz6ylDTL9djGR

The site users Ajax and runs on .NET 3.

Is this someone trying to hack into the site? Is it an error with the html on the site?

Any ideas?

1条回答
我欲成王,谁敢阻挡
2楼-- · 2020-06-04 04:45

I believe this error is caused by your ViewState being decrypted using an out-of-date ViewStateUserKey.

Removing these errors is a two-step process:

  1. Ensure you have a site-specific validation key. You can use several online resources to generate one for you, such as this one.
  2. Ensure the page's ViewStateUserKey is always consistent. From the MSDN documentation:

Setting the ViewStateUserKey property can help you prevent attacks on your application from malicious users. It does this by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. You can set this property to any string value, such as the user's session ID or the user's authenticated name.

You can do this by setting it yourself (perhaps in your Page or base Page's Init event):

if (Session["ViewStateUserKey"] == null)
{
    Session["ViewStateUserKey"] = new Guid().ToString();
}    
this.Page.ViewStateUserKey = Session["ViewStateUserKey"].ToString();

And no, I don't think you're being hacked.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(3)