界: Security Features
软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。
ASP.NET Misconfiguration: ViewStateMac Disabled
Abstract
攻击者可以通过禁用视图状态消息身份验证检查 (MAC) 来修改视图状态。
Explanation
在 ASP.NET 中,视图状态是一种在不同回发的 Web 表单中保持状态的机制。视图状态中存储的数据不可信,因为没有防范转发攻击的机制。当禁用视图状态消息身份验证检查时,信任视图状态尤其危险。禁用此检查相当于允许攻击者对视图状态中存储的数据进行任意更改,可能为攻击信任视图状态的代码敞开大门。攻击者可能会利用此类错误阻挠身份验证检查或更改项定价。
References
[1] Understanding ASP.NET View State Microsoft
[2] Michal Zalewski ASP.NET __VIEWSTATE crypto validation prone to replay attacks
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 353
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[19] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 2.2.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 2.2.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 2.2.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 2.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 2.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 2.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 2.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.dotnet.asp_dotnet_misconfiguration.viewstatemac_disabled