Uncategorized → The ViewState security
Comments Off
The ViewState mechanism
ViewState is the mechanism by which a .NET page maintains it’s state (information) between page post backs (e.g. the user will save data to her browser).
Introducing ViewState
The Http/Https protocol is stateless and text based, which means that state is not maintained between client requests by default and that the data exchanged between client and server are all clear text (or encoded text). ASP.NET provides several mechanisms to manage state in a more powerful and easier to utilize way than classic ASP.
Page level state is information maintained when an element on the web form page causes a subsequent request to the server for the same page ?€“ referred to as ‘postback’. This is appropriately called ViewState as the data involved is usually, though not necessarily, shown to the user directly within the page output.
The Control.ViewState property is associated with each server control in your web form and provides a dictionary object for retaining values between such multiple requests for the same page. This is the method that the page uses to preserve page and control property values between round trips.
When the page is processed, the current state of the page and controls is hashed into a string and saved in the page as a hidden field, that is if we talk simplistically. When the page is posted back to the server, the page parses the view state string at page initialization and restores property information in the page.
ViewState is enabled by default so if you view a web form page in your browser you will see a line similar to the following near the form definition in your rendered HTML:
| value=“dDwxNDg5OTk5MzM7Oz7DblWpxMjE3ATl4Jx621QnCmJ2VQ==” /> |
When a page is re-loaded two methods pertaining to ViewState are called: LoadViewState and SaveViewState. Page level state is maintained automatically by ASP.NET but you can disable it, as necessary, by setting the EnableViewState property to false for either the controls whose state doesn’t need to be maintained or for the page as a whole. For the control:
| < %@ Page EnableViewState=?€false?€ %> |
You can validate that these work as claimed by analyzing the information presented if you turn on tracing for a page containing the above elements. You will see that on postback, and assuming ViewState is enabled, that the LoadViewState method is executed after the Init method of the Page class has been completed. SaveViewState is called after PreRender and prior to actual page rendering.
You can also explicitly save information in the ViewState using the State Bag dictionary collection, accessed as follows:
| ViewState(key) = value |
Which can then be accessed as follows:
| Value = ViewState(key) |
It is important to remember that page level state is only maintained between consecutive accesses to the same page. When you visit another page the information will not be accessible via the methods above. For this we need to look at other methods and objects for storing state information, typically session state if the information is required on a per user basis.
Postback and non-postback controls
Some server controls, for example the textbox control, post their values as part of the postback operation and are known as postback controls. For such postback controls ASP.NET retrieves their values one by one from the HTTP Request and copies them to control values whilst creating the HTTP Response. Traditionally, web developers had to write code to do all this but now ASP.NET handles these activities automatically. Importantly there are no extra storage overheads for ViewState in maintaining state for postback controls.
In addition ViewState also supports non-postback controls, e.g. Label controls. This is where the hidden fields are used to maintain state. When ASP.NET executes a page, it collects the values of all non-post back controls that are modified in code and formats them into a single base64-encoded string. This string is then stored in a hidden file in a control named __VIEWSTATE, as per the example above. The hidden field is a post back control and when the encoded string is processed by the web server ASP.NET decodes the string at page initialization and restores the controls values to the page.
What can you store in ViewState?
ViewState offers a substantial improvement over the two competing techniques for state management via the client: standard hidden fields and cookies, in that ViewState is not limited to the storage of simple values. You can use ViewState to store any object as long as it is serializable, and the standard VB.NET types are. Serialization is the process of storing an object’s data and other information necessary to reconstruct the object later.
Protecting ViewState
By default the ViewState of a page is unprotected. Although the values are not directly visible as in the case of querystring or hidden form fields, it would not be too difficult for a determined individual to decode the stored information. However, Microsoft has provided two mechanisms for increasing the security of ViewState.
Message Authentication Code (MAC)
A MAC does not protect from information disclosure. It instead protects from integrity attacks and authenticity (with properties similar to those of a digital signature,but not the same). In this technique the ViewState is encoded using a hash code (using the SHA1 which means that it is an HMAC) before it is sent to the client browsers. On post back ASP.NET checks the encoded ViewState to verify it has not been tampered with. This is called a massage authentication code and is simply enabled at the page level:
| < %@ Page EnableViewStateMac=”true”%> |
However, MAC is enabled by default in the machine.config file and should not be a concern unless someone has altered the default settings. But even if you do not use a default configuration or have used the default machine.config, while using the WebFormAuthentication MAC is enabled either way.
To be more specific of what a MAC is look at the current diagram:
A cryptographic message authentication code (MAC) is a short piece of information used to authenticate a message. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message’s integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.
A message integrity code (MIC) is different from a MAC in that a secret key is not used in its operation. Although the terms are sometimes used interchangeably, a MIC should always be encrypted during transmission if it is to be used as a reliable gauge of message integrity. On the other hand, a MAC, which uses a secret key, does not necessarily need to be encrypted to provide the same level of assurance. A given message will always produce the same MIC assuming the same algorithm is used to generate both. Conversely, the same message can only generate matching MACs if the same secret key is used with the same algorithms to generate both. MICs don’t use secret keys and, when taken on their own, are therefore a much less reliable gauge of message integrity.
While MAC functions are similar to cryptographic hash functions, they possess different security requirements. To be considered secure, a MAC function must resist existential forgery under chosen-plaintext attacks. This means that even if an attacker has access to an oracle which possesses the secret key and generates MACs for messages of the attacker’s choosing, he can “never” guess the MAC for any message that he has not yet asked the oracle about. (Here “never” means, “not without doing an infeasible amount of computation”).
MACs differ from digital signatures, as MAC values are both generated and verified using the same secret key. This implies that the sender and receiver of a message must agree on keys before initiating communications, as is the case with symmetric encryption. For the same reason, MACs do not provide the property of non-repudiation offered by signatures: any user who can verify a MAC is also capable of generating MACs for other messages. In contrast, a digital signature is generated using the private key of a key pair, which is asymmetric encryption. Since this private key is only accessible to its holder, a digital signature proves that a document was signed by none other than that holder. Thus, digital signatures do offer non-repudiation.
MAC algorithms can be constructed from other cryptographic primitives, such as cryptographic hash functions (as in the case of HMAC) or from block cipher algorithms (OMAC, CBC-MAC and PMAC).
Encoding and Encrypting the ViewState
When the ASP.NET page framework creates a hash for view state data, it uses a MAC key that is either auto-generated or specified in the Machine.config file. If the key is auto-generated, it is created based on the MAC address of the computer. The MAC address is the unique GUID value of the network adapter in the computer.
It can be difficult for malicious users to reverse-engineer the MAC key based on the value in the page and the view state. Thus, MAC encoding is typically a reliable way to determine whether anyone has tampered with the view-state data.
In general, the larger the MAC key that is used to generate the hash, the less likely it is that the hash value for different strings will be the same. When the key is auto-generated, ASP.NET uses SHA1 encoding to create a large key. However, in a Web-farm environment, the key must be the same across all of the servers. If the key is not the same, and the page is posted back to a different server than the one that created the page, the ASP.NET page framework will raise an exception. Therefore, in a Web farm environment, you should specify a key in the Machine.config file instead of allowing ASP.NET to auto-generate one. The longer the key, the more secure it is; but the longer the key is the more time it takes to create a hash, so it is important to weigh security needs versus performance needs.
You can instruct ASP.NET to encrypt the contents of ViewState using the Triple DES symmetric algorithm (see the .NET SDK documentation for more information) ?€“ a stronger encryption algorithm that makes it very difficult for anyone to decode the ViewState.
This encryption can only be applied at the machine.config level, as follows:
| < %@ Page EnableViewStateMac=”true”%> |
Reference: ASP.NET: Tips, Tutorial and Code Scott Mitchell et al.Sams
Reference: Developing and implementing web applications with VB.Net and VS.Net
Mike Gunderloy Que
Reference: Taking a Bite Out of ASP.NET ViewState Susan Warren
Reference:http://en.wikipedia.org/wiki/Message_authentication_code
Notice:This article was originally posted at http://www.dotnetjohn.com/articles.aspx?articleid=71, and I am providing you with an altered version.
