Tuesday, February 22, 2005

The one-click attack and ViewStateUserKey

A one-click attack consists in posting a malicious HTTP form to a known, vulnerable Web site. It is called "one-click" because it usually begins with an unaware victim clicking on an alluring link received through e-mail or found when navigating a crowded forum. By following the link, the user inadvertently triggers a remote process that ends up submitting the malicious form to a site. To be successful, a one-click attack requires certain background conditions:
  • The first prerequisite is a social pretext that will lure the victim into clicking a hyperlink.
  • The attacker also needs a Web site to host the page that launches the attack - but not always.
  • A would-be attacker needs sufficient knowledge of the target application to construct request data, which the application will accept. Generally, this means that the attacker needs to know the URL of the vulnerable page, the name of every form field and query string parameter in the page, and what sort of value is expected for each of them.
  • The site must be using cookies (better if persistent cookies) to implement single sign-on, and the attacker should have received a valid authentication cookie.
  • Certain users of the site are involved in sensitive transactions.
  • The attacker must have access to the target page.

The attacker is limited as to what parts of the victim's request he can control using this technique. The query string parameters and form fields are completely within the attacker's control, but cookies are out of reach. Some of the request headers, such as User-Agent, are also out of the attacker's reach, but others, such as Server and Referer, can be controlled to varying degrees. The only hint that the victim did not intend to submit the request is in the Referer field.

The industrial-strength solution to the problem of one-click attacks is to somehow prevent the attacker from being able to assemble request data that the server will accept. This is done by requiring a field in the request to contain an element of data that the attacker can't supply.

ViewStateUserKey is a string property of the System.Web.UI.Page class. The property helps you prevent one-click attacks by providing additional input to create the hash value that defends the view state against tampering. In other words, ViewStateUserKey makes it much harder for hackers to use the content of the client-side view state to prepare malicious posts against the site.

Read Eric Rachner's article One-click Attack in more detail. Also read Dino Esposito's article Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks on the most common types of Web attacks.

3 Comments:

At 5:13 PM, Anonymous Anonymous said...

louis vuitton outlet, ugg boots, ray ban sunglasses, oakley sunglasses, louis vuitton outlet, longchamp pas cher, prada outlet, polo ralph lauren outlet, nike outlet, chanel handbags, louboutin outlet, longchamp outlet, louis vuitton, nike air max, cheap oakley sunglasses, longchamp outlet, jordan shoes, louis vuitton, nike free, tiffany and co, tory burch outlet, prada handbags, replica watches, nike roshe run, longchamp, louboutin, air max, ralph lauren pas cher, christian louboutin outlet, replica watches, louis vuitton, nike air max, kate spade outlet, louboutin pas cher, nike free, oakley sunglasses, sac longchamp, oakley sunglasses, polo ralph lauren outlet, louboutin shoes, uggs on sale, ray ban sunglasses, ray ban sunglasses, burberry, gucci outlet, oakley sunglasses, tiffany jewelry, ugg boots, air jordan pas cher, michael kors

 
At 5:17 PM, Anonymous Anonymous said...

mont blanc, nike air max, babyliss, mcm handbags, louboutin, herve leger, ghd, hollister, celine handbags, lancel, new balance, nike trainers, valentino shoes, nfl jerseys, reebok shoes, soccer shoes, oakley, vans shoes, p90x workout, soccer jerseys, nike huarache, converse outlet, nike roshe, abercrombie and fitch, bottega veneta, north face outlet, beats by dre, birkin bag, instyler, gucci, mac cosmetics, chi flat iron, ferragamo shoes, insanity workout, ralph lauren, nike air max, jimmy choo shoes, longchamp, wedding dresses, asics running shoes, vans, hollister, timberland boots, iphone cases, baseball bats, hollister, giuseppe zanotti, north face outlet, ray ban, lululemon

 
At 5:24 PM, Anonymous Anonymous said...

montre pas cher, moncler outlet, moncler, karen millen, moncler, supra shoes, ugg pas cher, wedding dresses, swarovski, moncler, sac louis vuitton pas cher, doudoune canada goose, moncler, louis vuitton, pandora charms, canada goose, ugg,uggs,uggs canada, swarovski crystal, marc jacobs, hollister, moncler, toms shoes, louis vuitton, ugg boots uk, louis vuitton, canada goose uk, coach outlet, louis vuitton, moncler, canada goose, pandora charms, links of london, moncler, canada goose, canada goose outlet, pandora jewelry, juicy couture outlet, canada goose, thomas sabo, juicy couture outlet, pandora jewelry, bottes ugg, canada goose outlet, ugg,ugg australia,ugg italia, replica watches

 

Post a Comment

<< Home