viestate tampering Issue

Posted by Mani654mani under ASP.NET on 4/19/2012 | Points: 10 | Views : 1076 | Status : [Member] | Replies : 6
Hi,
How does i know my viewstate is tampered or not?




Responses

Posted by: Sunny4989 on: 4/20/2012 [Member] Starter | Points: 25

Up
0
Down
The Enable View State property is "true" by default in ASP.NET.
When it is true it prevents anyone from changing the view state.

To avoid this type of tampering Microsoft offers 2 different types

- Machine Authentication Check (MAC) - tamper-proofing.
- Encrypting the View State.

------------------------------------------------
Learn throughout life

Mani654mani, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Dotnetrajanikanth on: 4/20/2012 [Member] Starter | Points: 25

Up
0
Down
http://msdn.microsoft.com/en-us/library/ms178199%28VS.85%29.aspx

____________
www.flickr.com/photos/psdesigner/

Mani654mani, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Dotnetrajanikanth on: 4/20/2012 [Member] Starter | Points: 25

Up
0
Down
ViewState is enabled by default so if you view a web form page in your browser you will see a line similar to the following near the form definition in your rendered HTML:
<input type="hidden" name="__VIEWSTATE"
value="dDwxNDg5OTk5MzM7Oz7DblWpxMjE3ATl4Jx621QnCmJ2VQ==" />

By default the ViewState of a page is unprotected. Although the values are not directly visible as in the case of querystring or hidden form fields, it would not be too difficult for a determined individual to decode the stored information. However, Microsoft has provided two mechanisms for increasing the security of ViewState.

Machine Authentication Check (MAC) - tamper-proofing
In fact tamper-proofing does not protect against an individual determining the contents of the ViewState. It instead provides a way of detecting whether someone has modified the contents of the ViewState in an attempt to deceive your application. In this technique the ViewState is encoded using a hash code (using the SHA1 or MD5 algorithms) before it is sent to the client browsers. On postback ASP.NET checks the encoded ViewState to verify it has not been tampered with. This is called a machine authentication check and is simply enabled at the page level:

<%@ Page EnableViewStateMac="true"%>

However, MAC is enabled by default in the machine.config file so should not be a concern unless someone has altered the default settings.

Encrypting the ViewState
You can instruct ASP.NET to encrypt the contents of ViewState using the Triple DES symmetric algorithm (see the .NET SDK documentation for more information) - a stronger encryption algorithm that makes it very difficult for anyone to decode the ViewState.
This encryption can only be applied at the machine.config level, as follows:

<machineKey validation='3Des' />

Note: if securing ViewState in a web farm scenario (multiple servers running the same application and thus needing to share state information) you must use the same validation key for all servers which is used to encrypt and decrypt the data. To do this you need to explicitly specify a common key rather than relying on autogeneration of a key as per the above configuration line. See the referenced 'Taking a Bite Out of ASP.NET ViewState' article for further information on this area.

____________
www.flickr.com/photos/psdesigner/

Mani654mani, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Sabarimahesh on: 4/20/2012 [Member] Bronze | Points: 25

Up
0
Down
By setting the EnableViewStateMac to true in the @Page directive.

This attribute checks the encoded and encrypted viewstate for tampering.

Life is a Race
Thanks & Regards
By
Sabari Mahesh P M

Mani654mani, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Sabarimahesh on: 4/20/2012 [Member] Bronze | Points: 25

Up
0
Down
To Get More

http://www.c-sharpcorner.com/Forums/Thread/61282/detecting-viewstate-tampering.aspx

Life is a Race
Thanks & Regards
By
Sabari Mahesh P M

Mani654mani, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Sabarimahesh on: 4/20/2012 [Member] Bronze | Points: 25

Up
0
Down
machine.config file.
<machineKey validation="SHA1"/>

EnableViewState will only Encode the value, that will not solve our problem where as EnableViewStateMac will do actual encryprtion.
<%@ Page language="c#" Codebehind="TestForm.aspx.cs"AutoEventWireup="false" EnableViewStateMac="True"
Inherits="TestForm" %>
in web.config

<system.web>
< pages ViewStateEncryptionMode="Always" />
</system.web>


Life is a Race
Thanks & Regards
By
Sabari Mahesh P M

Mani654mani, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response