Hello guys, I am a beginner in web application Security, so I started to train on webgoat.i would like to make numeric SQL injection attack but in ASP.net. So I created a dropdownlist that retrieves the names of cities and a gridview for display! The problem is when I change the ID value with tamperdata, nothing happens. I look a bit and I think that's a problem with ViewState, so it's impossible to make this attack in ASP.net? how could circumvent this viewstate or Disenable it for testing. Or any hint! Thank you ! Best regards!

Is the ViewState and EventValidation being URL encoded when being sent back to the server? What is the HTTP response you are getting? Ryan Dewhurst blog www.ethicalhack3r.co.uk projects www.dvwa.co.uk | www.webwordcount.com twitter www.twitter.com/ethicalhack3r On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi <oussama.gabi@gmail.com>wrote: > Hello guys, > > I am a beginner in web application Security, so I started to train on > webgoat.i would like to make numeric SQL injection attack but in ASP.net. > So I created a dropdownlist that retrieves the names of cities and a > gridview for display! > The problem is when I change the ID value with tamperdata, nothing happens. > I look a bit and I think that's a problem with ViewState, so it's impossible > to make this attack in ASP.net? > how could circumvent this viewstate or Disenable it for testing. Or any > hint! > > Thank you ! > > > Best regards! > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >

Yes, i've disabled the enableValidation, for the ViewState i added EnableViewState=flase in the dropdownList without any result. The server response: Status=OK - 200 Server=ASP.NET Development Server/10.0.0.0 Date=Mon, 25 Apr 2011 16:22:39 GMT X-AspNet-Version=2.0.50727 Cache-Control=private Content-Type=text/html; charset=utf-8 Content-Length=1331 Connection=Close Thank you very much 2011/4/25 Ryan Dewhurst <ryandewhurst@gmail.com> > Is the ViewState and EventValidation being URL encoded when being sent back > to the server? > > What is the HTTP response you are getting? > > > Ryan Dewhurst > > blog www.ethicalhack3r.co.uk > projects www.dvwa.co.uk | www.webwordcount.com > twitter www.twitter.com/ethicalhack3r > > > On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi <oussama.gabi@gmail.com>wrote: > >> Hello guys, >> >> I am a beginner in web application Security, so I started to train on >> webgoat.i would like to make numeric SQL injection attack but in ASP.net. >> So I created a dropdownlist that retrieves the names of cities and a >> gridview for display! >> The problem is when I change the ID value with tamperdata, nothing >> happens. I look a bit and I think that's a problem with ViewState, so it's >> impossible to make this attack in ASP.net? >> how could circumvent this viewstate or Disenable it for testing. Or any >> hint! >> >> Thank you ! >> >> >> Best regards! >> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> >

 Is the ViewState and EventValidation being URL encoded when being
 sent back to the server?

 What is the HTTP response you are getting?



 Ryan Dewhurst

 blog www.ethicalhack3r.co.uk <http://www.ethicalhack3r.co.uk>
 projects www.dvwa.co.uk <http://www.dvwa.co.uk> |
 www.webwordcount.com <http://www.webwordcount.com>
 twitter www.twitter.com/ethicalhack3r
 <http://www.twitter.com/ethicalhack3r>


 On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi
 <oussama.gabi@gmail.com <mailto:oussama.gabi@gmail.com>> wrote:

     Hello guys,

     I am a beginner in web application Security, so I started to
     train on webgoat.i would like to make numeric SQL injection
     attack but in ASP.net.
     So I created a dropdownlist that retrieves the names of cities
     and a gridview for display!
     The problem is when I change the ID value with tamperdata,
     nothing happens. I look a bit and I think that's a problem
     with ViewState, so it's impossible to make this attack in ASP.net?
     how could circumvent this viewstate or  Disenable it for
     testing. Or any hint!

     Thank you !


     Best regards!


     _______________________________________________
     The Web Security Mailing List

     WebSecurity RSS Feed
     http://www.webappsec.org/rss/websecurity.rss

     Join WASC on LinkedIn
     http://www.linkedin.com/e/gis/83336/4B20E4374DBA

     WASC on Twitter
     http://twitter.com/wascupdates

     websecurity@lists.webappsec.org
     <mailto:websecurity@lists.webappsec.org>
     http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi Sharing the code could be a good idea. Maybe put it up on github or something. Best regards, Erlend On 25.04.2011 17:38, Oussama Gabi wrote: > Yes, i've disabled the enableValidation, for the ViewState i added > EnableViewState=flase in the dropdownList without any result. > > The server response: > > Status=OK - 200 > Server=ASP.NET <http://ASP.NET> Development Server/10.0.0.0 > <http://10.0.0.0> > Date=Mon, 25 Apr 2011 16:22:39 GMT > X-AspNet-Version=2.0.50727 > Cache-Control=private > Content-Type=text/html; charset=utf-8 > Content-Length=1331 > Connection=Close > > > Thank you very much > > > 2011/4/25 Ryan Dewhurst <ryandewhurst@gmail.com > <mailto:ryandewhurst@gmail.com>> > > Is the ViewState and EventValidation being URL encoded when being > sent back to the server? > > What is the HTTP response you are getting? > > > > Ryan Dewhurst > > blog www.ethicalhack3r.co.uk <http://www.ethicalhack3r.co.uk> > projects www.dvwa.co.uk <http://www.dvwa.co.uk> | > www.webwordcount.com <http://www.webwordcount.com> > twitter www.twitter.com/ethicalhack3r > <http://www.twitter.com/ethicalhack3r> > > > On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi > <oussama.gabi@gmail.com <mailto:oussama.gabi@gmail.com>> wrote: > > Hello guys, > > I am a beginner in web application Security, so I started to > train on webgoat.i would like to make numeric SQL injection > attack but in ASP.net. > So I created a dropdownlist that retrieves the names of cities > and a gridview for display! > The problem is when I change the ID value with tamperdata, > nothing happens. I look a bit and I think that's a problem > with ViewState, so it's impossible to make this attack in ASP.net? > how could circumvent this viewstate or Disenable it for > testing. Or any hint! > > Thank you ! > > > Best regards! > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn > http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > <mailto:websecurity@lists.webappsec.org> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Try https://gist.github.com/ . Nice place for sharing (public) code. -- David Rajchenbach-Teller CSO, MLstate On Apr 25, 2011, at 6:55 PM, Erlend Oftedal wrote: > Hi > > Sharing the code could be a good idea. Maybe put it up on github or something. > > > Best regards, > Erlend > >

Hello guys, For testing I put the enableViewStateMac to false, now there is no hash at the end of the ViewState. Then I intercept the request with BurpProxy. The ViewState code is %2FwEPDwUKMTAxMTc1NDMyNA9kFgICAw9kFgICAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQNOb20eDkRhdGFWYWx1ZUZpZWxkBQhJZF9WaWxsZR4LXyFEYXRhQm91bmRnZBAVBgpDYXNhYmxhbmNhBVJhYmF0BFNhZmkGVGFuZ2VyBkFnYWRpcgVTYWZpZRUGAzIwMAMyMDEDMjAyAzIwMwMyMDQDMjAyFCsDBmdnZ2dnZ2RkGAEFCUdyaWRWaWV3MQ88KwAKAQgCAWQ%3D I get something like that when i decode it : ÿ
 1011754324dd
 DataTextFieldNomDataValueFieldId_Ville_!DataBoundgd CasablancaRabatSafiTangerAgadirSafie200201202203204202+ggggggdd
 GridView1<+�

d my goal is to add or 1=1 to display all the cities with tamperature . So i add it after the value selected in the dropdownlist e.g 201, it will be 201 or 1=1 i encode the all to base64. but i got an error session information is not valid.... i've tried to change the centent-length in vain.. I know it's stupid, but i wanna make this exemple.. *this is my Code* https://gist.github.com/943987 do you have any ideas please? Thank you Best regards Oussama GABI 2011/4/25 Erlend Oftedal <erlend@oftedal.no> > Hi > > Sharing the code could be a good idea. Maybe put it up on github or > something. > > > Best regards, > Erlend > > > > On 25.04.2011 17:38, Oussama Gabi wrote: > > Yes, i've disabled the enableValidation, for the ViewState i added > EnableViewState=flase in the dropdownList without any result. > > The server response: > > Status=OK - 200 > Server=ASP.NET Development Server/10.0.0.0 > Date=Mon, 25 Apr 2011 16:22:39 GMT > X-AspNet-Version=2.0.50727 > Cache-Control=private > Content-Type=text/html; charset=utf-8 > Content-Length=1331 > Connection=Close > > > Thank you very much > > > 2011/4/25 Ryan Dewhurst <ryandewhurst@gmail.com> > >> Is the ViewState and EventValidation being URL encoded when being sent >> back to the server? >> >> What is the HTTP response you are getting? >> > > >> >> Ryan Dewhurst >> >> blog www.ethicalhack3r.co.uk >> projects www.dvwa.co.uk | www.webwordcount.com >> twitter www.twitter.com/ethicalhack3r >> >> >> On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi <oussama.gabi@gmail.com>wrote: >> >>> Hello guys, >>> >>> I am a beginner in web application Security, so I started to train on >>> webgoat.i would like to make numeric SQL injection attack but in ASP.net. >>> So I created a dropdownlist that retrieves the names of cities and a >>> gridview for display! >>> The problem is when I change the ID value with tamperdata, nothing >>> happens. I look a bit and I think that's a problem with ViewState, so it's >>> impossible to make this attack in ASP.net? >>> how could circumvent this viewstate or Disenable it for testing. Or any >>> hint! >>> >>> Thank you ! >>> >>> >>> Best regards! >>> >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> >>> >> > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feedhttp://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitterhttp://twitter.com/wascupdates > websecurity@lists.webappsec.orghttp://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >