4TT4CK3R Finds ViewState Bug in UK Geological Society Site

Iranian security researcher 4TT4CK3R has disclosed a vulnerability in the website of the UK’s Geological Society.
The web site runs on Windows web server IIS 7.5 with ASP.NET -version 4.0.30319- but does not have the ViewState parameter encrypted.

This means that there is the possibility of someone intercepting the information stored in the ViewState, so it is best to encrypt the ViewState.
ViewState is a technique used by an ASP.NET Web page to persist changes to the state of a Web Form across postbacks. The ViewState form field does cause slower downloads and also when the user posts back the Web page, the contents of this hidden form field must be posted back in the HTTP request. The also increases the request time.

Mitigation

The machineKey element configures algorithms and keys to use for encryption, decryption, and validation of forms-authentication data and view-state data, and for out-of-process session state identification. The machineKey validation should be set to AES. This instructs ASP.NET to encrypt the ViewState value using the Advanced Encryption Standard.

To do this:

  1. On the web server, open web.config file
  2. Add the following under the element :

Details on this vulnerability can be read here
More details on the machineKey encryption options can be read here

Other vulnerabilities discovered by 4TT4CK3R can be seen here

Affected site: https://www.geolsoc.org.uk/
Web Server: IIS-7.5
Server Type: Windows Server
Language/version: Microsoft ASP.NET 4.0.30319

Leave a Reply

Your email address will not be published. Required fields are marked *