ASP.Net __VIEWSTATE/__EVENTVALIDATION | Does it prevent from CSRF?

By YGN Ethical Hacker Group -
Myth:

Some web application developers  mistakenly assume ASP.Net __VIEWSTATE/__EVENTVALIDATION can thwart CSRF attacks.


Fact

As far as we know, Microsoft didn't state __VIEWSTATE/__EVENTVALIDATION as CSRF defense when ASP.Net was introduced.


Proof-of-Concept

You can craft a valid CSRF exploit by getting known __VIEWSTATE value and __EVENTVALIDATION value that you can know by simply viewing HTML source.  Unless web application processes __EVENTTARGET and __EVENTARGUMENT, you can skip these parameters.

Keywords: ASP.Net, Cross Site Request Forgery, CSRF, XSRF


Comments

Post a Comment

Popular posts from this blog

Bypassing referrer check with no script involved

By YGN Ethical Hacker Group -
No more to use scripting approach like https://github.com/knu/noreferrer This useful meta tag helps for CSRF POC preparation when you come across an application that checks referrer header: <meta name="referrer" content="no-referrer"> https://caniuse.com/#feat=referrer-policy
Read more

Jumping out of Touch Screen Kiosks

By YGN Ethical Hacker Group -
Image
Background: Nowadays, the use of large touch screen kiosks has been prevalent.  They are to replace tradition paper-based brochures and to provide more interactive means to consumers. In restaurants, you can see a variety of food menu that can be accessible in large touch screen LCD monitor.  In your local Telcos, you can see a variety of mobile and Internet subscriptions plans.   Behind these touch screen menus are running standalone or browser-mode Adobe Flash applications which are second-to-none for interactivity and scalablity and ease of update. Data could be pulled from somewhere round their centralized web severs. Weakness: Jumping out We cannot use  iKat  at first as we do not have access to any keyboard facility. However, the trick is no-brainer. Do long press on any locations and relieve.  You should see the usual Flash context menu like: Touch "Global Settings".  A web browser window will pop up and redirect to the Adobe ...
Read more

From Arbitrary DNS Query to DNS Proxy

By YGN Ethical Hacker Group -
Most of today's corporate networks allow arbitrary DNS query. Similarly wireless access points which are controlled by HTTP user credentials allow arbitrary DNS queries. Attackers can easily bypass this restriction by setting up their remote DNS-based HTTP/Socks proxy servers.The thing is the restriction is set only on HTTP Data not others. Attackers can set up covert channels with DNS, ICMP, POP3 and so on.
Read more