View State Lockdown
Posted in Development
For a while now a certain individual, or a group of individuals (hereinafter referred to as “dirtbags”), have been trying to hack my site by feeding it bogus view state. I don’t know what their idea is, but they feed entire spam emails for view state. Do they expect my site to actually email it? Why would it? Also, I see this view state attack coming from all over the world—China, Costa Rica, Egypt, Iran, France, Germany. My guess is they use anonymous proxies or simply badly configured software ponied for proxies.
It’s comforting to realize that their efforts are futile. What I always do is configure <machineKey> in web.config with the longest validation key available, 3DES encryption and all that good stuff. I’ve talked about it in my article on view state and put together an online tool which generates a complete <machineKey> tag ready for cut-and-paste “deployment”. In production, though, I prefer to store view state in the database to (a) reduce the payload, and (b) not worry about anyone messing with it.
If your view state is wide open, I suggest you lock it down. I don’t enjoy hearing about imaginary terrorists all the time, but this threat is real.
11 comments
Milan Negovan
on September 6, 2005
I'm not sure what their agenda is. View state is very fragile and you need to feed control content in exactly the same order, etc, etc. On top of that, why would the page email it? I don't know. They might as well do it to annoy people.
Darrel
on October 6, 2005
BTW...great site. One bug I found is your Captcha on the comments. When the captcha is created, it must time out on the server. If I open the page, let it sit for a while, then try and submit, it doesn't accept my captcha entry. On postback, it doesn't scroll to the error but when I do, it simply says 'please enter the number above again', but, this time, the number no longer appears. Took me a while to figure out what was going on.
Milan Negovan
on October 6, 2005
I don't know what the exploit is, but I keep getting hit by these people (to no avail). I'm thinking of autmatically banning IPs where these attacks come from.
Milan Negovan
on October 6, 2005
Oh, and I'll get cracking on the captcha. ;)
Ellie
on February 27, 2006
Hi,
I get this too and it starts to annoy me...Therefore I want to share an idea and see what you think:
In some of the emails that are posted in the viewstate I sometimes find a BCC listed. How about sending a few emails to that email adress :-)?
I'm about to write a separate error handling for the invalid_Viewstate error: if a BCC is listed that is not on my own domain (so they can not turn this against ourselves) I could send a few automated responses...
What do you think?
Milan Negovan
on February 27, 2006
Actually, I'm thinking about blacklisting them or something based on the IP. I know those must be open proxies they exploit, but if that's the case those IPs deserve to be banned for negligence.
Ben
on October 25, 2006
I have the same problem with spammers targetting my feedback page. My email function only sends to me, so they can't try the old sendmail type hacks. However, constant failure hasn't seemed to deter them and they keep on trying.
I also have a IP blacklist, which encompasses comments, trackbacks and feedback in one list, but the "Invalid viewstate" error occurs way before I have a chance to get at it. Either I will have to override another function call, or pick it up in my Application.onError check.
At present I'm the only one they are spamming, which is annoying, but I'm hardly stupid enough to click on one of their stupid links (mostly to blogspot.com blogs).
Any ideas of how to exclude this type of error in Application.OnError and set it apart from other 500 errors?
Milan Negovan
on October 30, 2006
Ben, take a look at this post. I provided source code of an HttpModule which nips this view state attack in the bud.
Nicholas
on September 6, 2005
Woah! I was waiting for someone to blog on this-- I searched Google and could not find anything.. but for almost 5 months now, every week or so, I'll get someone attempting this. Everytime it's a spam e-mail inside the ViewState contents. Huh? Is this trying to exploit a super old viewstate bug or something? Overflow?