我正在为我们的应用程序解决一些安全问题,并且我们将 ViewStateEncryptionMode 设置为 true(在 web.config 中)。我注意到仍然有一个 _VIEWSTATE 字段,现在在 _viewstateencrypted 表单上有一个新字段。我有两个问题:
- 这是否意味着视图状态仍然可以被黑客入侵或将 asp.net 识别并仅使用加密字段。
- 我收到一个 OWASP ZAP 安全问题,说他们通过附加文本发现了视图状态的注入问题。我该如何解决这个问题?
提前致谢
Hard to say without more information, but here are a few random guesses:
ViewStateEncryptionMode can't be set to true?? I guess you mean 'Always', MSDN reference
If ViewStateEncryptionMode is Always, yes your viewstate is encrypted. This should hide the information it contains from prying eyes.
If you don't need to hide the viewstate content, but want to prevent tampering (i.e. modification) you can set enableViewStateMac='true'. This adds a cryptographic hash to check if the content was tampered with. See MSDN documentation for more details. Both this and ViewStateEncryptionMode can be active at the same time if you want to.
Most probably you are seeing a false positive from OWASP ZAP. Does your encoded viewstate contain strings such as SQL, JDBC or ODBC? See this bug.
The message reminds me vaguely of the padding oracle exploit. Is your server patched with MS10-070? Note that this is old stuff, the exploit was found and patched in 2010.
如果 VIEWSTATE 未加密,则存在安全风险(任何人都可以修改 VIEWSTATE 值并发布到您的页面。)
要查看它是否已加密,请转到此处并粘贴您的 VIEWSTATE 值:http: //ignatu.co.uk/ViewStateDecoder.aspx
如果该页面可以解码 VIEWSTATE,则它没有被加密。
要“保护”您的 VIEWSTATE,您需要在 web.config 中设置以下内容:
<pages enableViewState="true" enableViewStateMac="true">