All Questions
23 questions
0
votes
0
answers
62
views
Security Concern - How to Prevent User and Password from Displaying in Form Data During Login in a .NET Web Application
How can I prevent sensitive information, such as the username and password, from being exposed in the Form Data section of the inspect element feature in a .NET web application, as depicted in the ...
- 86
3
votes
1
answer
3k
views
Implications of saving session on the client with javax.faces.STATE_SAVING_METHOD
My first JSF page was throwing javax.faces.application.ViewExpiredException. while I searched I got this solution which solved my problem.
<context-param>
<param-name>javax.faces....
- 2,127
0
votes
1
answer
310
views
How to prevent Viewstate tampering in AngularJS?
This is an Interview Question I was asked today -_-. I dont understand the question actually, because I dont understand how anything can be tampered in the scenario. He asked this when I was talking ...
- 1,763
1
vote
1
answer
88
views
Can you trust ViewState to handle program control?
I've read a lot about ViewState on MSDN and looked at these questions (among others):
Can malicious users modify viewstate?
How to modify viewstate of a label in ASP.net
I see that if you have ...
- 727
1
vote
2
answers
115
views
Is EWL secure while having EnableViewStateMac set to false?
I watched a talk recently ( http://vimeo.com/68390507 ) where the speaker is very serious, saying several times, to never set EnableViewStateMac=false.
While using Enterprise Web Library, I noticed ...
- 6,119
4
votes
2
answers
2k
views
Asp.net EnableViewStateMac and malicious code [December security updates]
In the latest Asp.Net December 2013 Security updates Microsoft released a patch for ASP.Net - 'Insecure ASP.NET Web Forms (.aspx) configuration could allow remote code execution'. Related KB is ...
- 7,458
3
votes
3
answers
2k
views
My Event Log is full of ViewState was Invalid and Unhandled Exception
I have HealthMonitoring on for my website. 90% of my pages are accessed in the format
http://www.itsmywebsite.com/showproduct.aspx?id=somenumber
I was checking the WebEvents_events tables and saw ...
- 1,275
3
votes
1
answer
9k
views
How to determine if ViewState has MAC enabled when crawling a page?
I was using Burp Suite to do some security testing on a site and I noticed that when it detects ViewState it will automatically tell you whether it has MAC enabled.
I'm curious if anyone know of a ...
- 84.8k
1
vote
1
answer
1k
views
How do I emulate an *encrypted* non-tamperable Viewstate in ASP.NET MVC?
I have data that I only want to make available in three different HTTP POSTs (think of a workflow) and I don't want to use a QueryString, or a Cookie for this information. For this reason, I think ...
- 61.4k
4
votes
2
answers
4k
views
Can malicious users modify viewstate?
If ViewStatemac is enabled in an ASP.NET application can a user modify what is in ViewState and successfully pass it back to the server?
I have an applicaiton (that someone else wrote) that is using ...
- 84.8k
7
votes
1
answer
2k
views
Is it possible to spoof or reuse VIEWSTATE or detect if it is protected from modification?
Question
ASP and ASP.NET web applications use a value called VIEWSTATE in forms. From what I understand, this is used to persist some kind of state on the client between requests to the web server.
...
- 5,292
2
votes
1
answer
2k
views
ViewStateUserKey + shared hosting + ViewStateMac validation failure
So, the question is simple, even though I'm starting to have doubts if this will get answered...
I have a website, where I wanted to secure my viewstate with the recommended ViewStateUserKey..
In my ...
- 13.6k
1
vote
3
answers
133
views
How can I tell the difference between a post from a browser, and someone trying to post programmatically
Is there a way to determine if the request coming to a handler (lets assume the handler responds to get and post) is being performed by a real browser versus a programmatic client?
I already know ...
- 6,683
4
votes
2
answers
602
views
Do ASP.Net controls expose SQL Queries via viewstate?
Do controls, that are part of the default ASP.Net control set - ALL use viewstate or controlstate all the time?
i.e. If I drop the code below onto a brand new web form, is my SQL string placed in ...
- 1,704
8
votes
3
answers
10k
views
Is my VIEWSTATE encrypted?
I'm a little confused. I haven't explicitly set the Web.config <pages ViewStateEncryptionMode="Always" />, and so this MSDN page says that it should default to Auto. This MSDN page says that ...
- 29.8k
13
votes
3
answers
22k
views
hidden field vs viewstate
What is the difference when using
Hidden field vs View state?
When to use each one ?
Which one more secure?
Which is better in performance?
what are the alternatives?
- 11.4k
2
votes
1
answer
2k
views
ASP.net ViewState encryption and decryption
I heard that .NET framework will encrypt the ViewState using SHA1 or some other algorithm.
So if i know the SHA1 encryption and decryption algorithm can i tamper a ViewState?I mean
a malicious user ...
- 23
5
votes
6
answers
2k
views
Is it safe to store credit card and pricing information in ViewState even over ssl?
I have a page with private properties that are storing a credit card object and a shopping cart object in viewstate so I can maintain a reference to them across postbacks. By the way, the page ...
- 5,499
0
votes
4
answers
139
views
What prevents a user from adding controls to an ASP.NET page client side?
This goes back to my other question which I thought was sufficiently answers but upon reflect am not sure that it was (sorry).
Backgrounder:
I am generating a form dynamically. I am pulling from the ...
- 6,343
0
votes
5
answers
130
views
Secure to store an ID in an ASP.NET control ID?
I'm auto-generating a form in my ASP.NET page. This is already tested and working. I want to know if:
If there are any security problems with storing the database ID as part of my controls ID? I can ...
- 6,343
8
votes
3
answers
29k
views
Is it possible to decrypt and view ViewState values?
I know there are tools out there that will let you see the content of asp.net viewstate. Is it possible to see and modify the content of viewState if it has been encrypted by adding the <...
- 84.8k
0
votes
3
answers
2k
views
C# asp.net build SQL Query dynamically from viewstate
On my C# asp.net webform I have a search page that has roughly 20 elements that "could" be used as part of the search. There will be more added later.
What I have done is extend the textbox and ...
- 15.2k