-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
One more example.
http://www.theregister.co.uk/2005/05/11/ms_gatekeeper_test_fiasco/
It looks like someone already used this to rig his scores in the Microsoft Security Professional competition.
ROFL.
A.
Michal Zalewski wrote:
| I would also like to point all concerned to an excellent post about | replay attacks on __VIEWSTATE; the post is by Scott Mitchell, the | guy who authored the MSDN article I initially referred to [1]: | | http://scottonwriting.net/sowblog/posts/3747.aspx | | His article is aimed at developers; Scott explains the issue I | reported in a way that makes it perhaps more clear why putting user | ID, session ID, or other similar data in __VIEWSTATE is not a | remedy by itself, and why reposting __VIEWSTATE is dangerous | despite target script location checks. | | [1] | http://msdn.microsoft.com/library/en-us/dnaspp/html/viewstate.asp | | Cheers, /mz |
- -- La Châtelier's Law:
~ If some stress is brought to bear on a system in equilibrium, the equilibrium is displaced in the direction which tends to undo the effect of the stress. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCgxKX/NpXLt3l5xURAoCRAKCST0nfsIav2YahTueJdgyl1sjfIQCgwRhm L/0uD824ZveBMYbo9yi1ErI= =0rM6 -----END PGP SIGNATURE-----
