[Dailydave] ASP.Net viewstate
Kartikeya Puri
kartikeya.puri at gmail.com
Tue Sep 12 14:24:36 EST 2006
Quoting from MSDN:
When the ASP.NET page framework creates a hash for view state data, it uses
a MAC key that is either auto-generated or specified in the
Machine.configfile. If the key is auto-generated, it is created based
on the MAC address
of the computer. The MAC address is the unique GUID value of the network
adapter in the computer.
So if I am in a LAN environment, it is possible for me to get the MAC on
which the auto-generated key is based. Now this is while assuming that the
key is auto generated which if i understand correctly is the default
(putting a long key in Machine.config file is optional). Also Suppose if
this is a Lan based application where one can control what will be the
contents of the viewstate, i.e. the post variables can be controlled,
wouldn't it be possible to get the hash (which is SHA-1) ? Just an idea ...
Regards,
Kartik
On 9/12/06, ET LoWNOISE <et at grex.cyberspace.org> wrote:
>
> http://msdn2.microsoft.com/en-us/library/ms178199.aspx
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20060912/b2a76613/attachment.htm
More information about the Dailydave
mailing list