Asp.net ViewState Security

-


Asp.net ViewState Security.



ASP.NET ViewState data is stored in a single Base64-encoded string  such as  this:
id="__VIEWSTATE" value="dDw3NDg2NdTI5MDg7Ozr4="/>

Since this value is not formatted in clear text, developers sometimes assume that their ViewState data is encrypted which is most certainly not the case. This data string can be reverse-engineered this and then viewed. This is an obvious security issue if sensitive data is being stored in ViewState.

To make ViewState secure, there are two choices, hash codes and ViewState encryption.



USE A HASH CODE.




A hash code  is a cryptographically strong checksum. When you use a has code, ASP.NET calculates the checksum based on the current ViewState content data and then adds this to the hidden input field when the page  when is returned to the client.  On the page post back, ASP.NET then recalculates the checksum to  ensures a  match. If a malicious user were to  change the ViewState data, ASP.NET can detect the  the change reject the postback.
Hash codes are enabled by default,  however, sometimes developers elect  to disable hash codes to prevent problems on a web farm when  servers have different keys. Hash codes can be disabled on the page in the .aspx file’s Page directive:

<%@ Page EnableViewStateMac="false" ... %>
To disable hashing site-wide use the  ViewStateMac attribute of the pages  element in  web.config :




...


For more on hashing, please refer to C# Security – Hashing



USE VIEWSTATE ENCRYPTION.




Hash codes help to prevent ViewState data from being tampered with but they do not provide much assistance in preventing ViewState data from being read since hash codes can still be converted to clear text. To prevent ViewState being read, use the  ViewState Encryption, which can be turned on at the page level using the ViewStateEncryptionMode property of the Page directive:

<%@Page ViewStateEncryptionMode=”Always” … %>

Or site-wide in the web.config file:



There are three settings for viewStateEncryptionMode:

Always : All ViewState data is encrypted.
Never : No ViewState data is encrypted.
Auto : Data is only encrypted when specifically requested by the ASP.NET control.
The default setting is Auto so no data will be encrypted unless otherwise requested by a control on a page. For a control to request encryption in needs to call the Page.RegisterRequiresViewStateEncryption() method before it is rendered to HTML.

Note that using encryption incurs a performance penalty so it should only be used when necessary.


Comments

Data Recovery Services said…
Its like you read my mind! You seem to know so much about this, like you wrote the book in it or something. I think that you could do with some pics to drive the message home a bit, but other than that, this is great blog.
hard drive recovery service
July 16, 2012 at 1:24 AM
Post a Comment

Popular posts from this blog

Authorize.net Integration eCommerce Payment Gateway ( Direct Post Method New! )

-
https://developer.authorize.net/integration/fifteenminutes/csharp These steps assume that your web server is on the public internet and can be accessed via a domain name or IP address. Step 1:Sign up for a Test Account. Sign up for a test account to obtain an API Login ID and Transaction Key. These keys will authenticate requests to the payment gateway. Step 2: Download the Authorize.Net C# SDK and include it in your project Download the SDK Create a new ASP.NET MVC application and add a reference to the AuthorizeNET.dll from the SDK Step 3: Modify web.config. Add the AuthorizeNET.Helpers namespace to the web.config, under system.web/pages: ... Step 4: Create a checkout form that posts directly to Authorize.Net Add the following code to the Home/Index View - this will create a form which will submit a test transaction to Authorize.Net (with hardcoded values). This code uses the SDKs CheckoutFormBuilder to create the form for you - just include your API login and Transa...
Read more

Visual Studio debuggin perfromance Improvement.

-
Solution Improving Visual studio debugging performance. 1. Disable Intellitrace completely 2. Tools -> Options -> IntelliTrace -> [ ] Enable IntelliTrace 3. Delete all the Visual studio breakpoints a. You may need to delete all your breakpoints---note that you need to click the "delete all breakpoints" button (or use Ctrl-Shft-F9), NOT just delete them one by one. If Visual Studio has mangled your solution settings the latter will not work. You may need to add a breakpoint first, in order for this to work (clever, eh?) i. If worst comes to worst, you may need to delete your .suo file and let Visual Studio start a new one from scratch. Note that you will lose your personal solution configuration settings, however (only for this solution, not any others). However, you may want to move/rename the file temporarily until you determine whether or not this is the problem; that way, you can always move it back. I have seen some online resources recommend del...
Read more

ASP.NET Page Life Cycle

-
Page_Init -> During this phase, the server creates an instance of the server control. i.e. various controls are intialised to default values. but viewstate doesn't exists. ViewState Load method -> Loads viewstate object. Load postback Data -> Loads the data posted back incase of isPostback is true. Page_Load () -> During this phase, the instance of the control is loaded onto the page object in which it is defined Pre_Render () -> During this phase, the control is updated with the changes made to it. This prepares the control for rendering. Save () -> During this phase, the state information of the control is saved. For example, if a value is set for the control during the Load event, it is embedded in the HTML tag that will be returned to the browser. SaveViewState ()-> Viesstateinformation is saved. Rendering ()-> During this phase, the server creates the corresponding HTML tag for the control. Disposing ()-> During...
Read more