reallygorgo
asked on
User security breach via VIEWSTATE?
I have been getting a lot of emails following the pattern below. I wonder if anyone can
1) Figure out what information might be captured by the __VIEWSTATE / __VIEWSTATEGENERATOR gambit
2) Decode the strings passed to __VIEWSTATEGENERATOR and __VIEWSTATE (What is the process? I can write Java code for this if I need to)
3) Comment on the vulnerability of my Windows 7 machine to this approach. It seems that any online security discussions about VIEWSTATE start with the assumption that the server needs to be protected. However unless I am mistaken, this turns it around and threatens to compromise the user machine. Am I correct in thinking that this is likely a preliminary step towards a later infection attempt? Your comments are appreciated!
I know next to nothing about asp, though I have an extensive background in software generally.
Thanks
************************** ********** ********** ********** ********** ********** ******
Email subject : "Cooperation with a large firm" Received 2016-06-12
We are looking for employees working remotely.
My name is Dominick, am the personnel manager of a large International company.
Most of the work you can do from home, that is, at a distance.
Salary is $2500-$5000.
If you are interested in this offer, please visit Our Site<--A LINK
************************** ********** ********** ********** ********** ********** ******
****************** This is the link given in the initial email
******************
http://faculdadesesi.edu.br/wp-content/plugins/all-in-one-wp-security-and-firewall/lib/whois/
******************
******************This is the content accessed at the above link
******************
<meta http-equiv="REFRESH" content="0;http://options1300.com/?u=kp5k605&o=cywbzvh&t=mx2">
******************
This is the content accessed at http://options1300.com
******************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
</title></head>
<body >
<form method="post" action="404.aspx" id="form1">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="WHvqI68Ox6ItNGTnRsX RoKG2camvT LKNpJzTP3b h3FSo6vsO0 YtrXsHcVHr WswtYOeGUs fCBvp+Ku7z wHwVlHKX2e wUQQF7mnCJ RerGP0Ec=" />
<input type="hidden" name="__VIEWSTATEGENERATOR " id="__VIEWSTATEGENERATOR" value="F2DD039B" />
68
</form>
</body>
</html>
1) Figure out what information might be captured by the __VIEWSTATE / __VIEWSTATEGENERATOR gambit
2) Decode the strings passed to __VIEWSTATEGENERATOR and __VIEWSTATE (What is the process? I can write Java code for this if I need to)
3) Comment on the vulnerability of my Windows 7 machine to this approach. It seems that any online security discussions about VIEWSTATE start with the assumption that the server needs to be protected. However unless I am mistaken, this turns it around and threatens to compromise the user machine. Am I correct in thinking that this is likely a preliminary step towards a later infection attempt? Your comments are appreciated!
I know next to nothing about asp, though I have an extensive background in software generally.
Thanks
**************************
Email subject : "Cooperation with a large firm" Received 2016-06-12
We are looking for employees working remotely.
My name is Dominick, am the personnel manager of a large International company.
Most of the work you can do from home, that is, at a distance.
Salary is $2500-$5000.
If you are interested in this offer, please visit Our Site<--A LINK
**************************
****************** This is the link given in the initial email
******************
http://faculdadesesi.edu.br/wp-content/plugins/all-in-one-wp-security-and-firewall/lib/whois/
******************
******************This is the content accessed at the above link
******************
<meta http-equiv="REFRESH" content="0;http://options1300.com/?u=kp5k605&o=cywbzvh&t=mx2">
******************
This is the content accessed at http://options1300.com
******************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
</title></head>
<body >
<form method="post" action="404.aspx" id="form1">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="WHvqI68Ox6ItNGTnRsX
<input type="hidden" name="__VIEWSTATEGENERATOR
68
</form>
</body>
</html>
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER