RE: Current Project Design, Comments?

Hi Michael,
I would also be careful when storing data in the viewstate. Not only does it add to the weight of the page, but I do not believe it is encrypted. In fact, I think it is just BASE64 encoded. So I would not be storing anything too sensitive there either (unless you are in SSL, perhaps...).

I would/do only use the viewstate for processing the data in your UI, but not store any real data there.

-tim

-----Original Message-----
From: Michael Loll [mailto:mloll@pointetech.com] Sent: Friday, February 14, 2003 3:38 PM
To: webappsec@securityfocus.com
Subject: RE: Current Project Design, Comments?

I do not use query strings, data is passed between pages via the "code behind model" or the ViewState mechanism in ASP.NET, or via my custom session variables.

-----Original Message-----
From: Logan F.D. Greenlee [mailto:lgreenlee@ciretose.net] Sent: Friday, February 14, 2003 4:30 PM
To: Brass, Phil (ISS Atlanta); Michael Loll; webappsec@securityfocus.com Subject: RE: Current Project Design, Comments?

        In most cases one should not use query strings in ASP.NET. Critical information such as account ID, or user information should be stored in the users session. Most frequently this is a user object. The aspx forms are then responsible for retrieving them from the user's session. By doing this query string based attacks are mitigated. The "code behind model" helps to reinforce this model. By using form post back all variables are held in the form state.

_logan

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: Brass, Phil (ISS Atlanta) [mailto:PBrass@iss.net] Sent: Friday, February 14, 2003 4:12 PM
To: Michael Loll; webappsec@securityfocus.com Subject: RE: Current Project Design, Comments?

In addition to SQL injection, it sounds like you need to consider row-level security. Imagine you have a form target view_account.asp?acct_id=10107. Let's say I'm allowed to view account 10107, but Michael isn't. If acct_id's are relatively predictable (and this kind of ID is typically a sequential ID generated by database), then Michael might request view_account.asp?acct_id=10107. Or he might even write a script to request all account IDs and see what he gets.

Also, I note that you made no mention of how you plan on keeping session state - i.e. when a new request comes in, how do you know if the user has already logged in or not, who the user is, etc.? IIS session object? A custom session ID?

Phil

> -----Original Message-----

> a client. I would welcome any comments on my security design so far.

> to the specified tables and procedures needed to perform its duties.
Received on Fri Feb 14 18:48:13 2003