iTnews
  • Home
  • News
  • Technology
  • Security

Server flaw to be revealed at Black Hat

By SC Australia Staff on Feb 1, 2010 1:42PM

View state feature could reveal sensitive information.

A technique that allows visibility to a username, password and credit-card number that is temporarily stored on a server during a session will be demonstrated at next week's Black Hat conference in Washington DC.

According to Dark Reading, the technique, which is used in web application development platforms that provide a constant look-and-feel across multiple web pages, can potentially expose sensitive user data, and will be demonstrated along with new vulnerabilities in Apache MyFaces, Sun Mojarra and Microsoft ASP.NET.

What is called the ‘view state' technique is a method for tracking changes to visual components on a web page that lets the web server update a web page without moving from that page.

Trustwave's SpiderLabs will demonstrate the types of attacks that can be waged using this class of vulnerabilities. David Byrne, senior security consultant, and security consultant Rohini Sulatycki will also release a security advisory about the vulnerabilities, along with steps to prevent them from exploitation.

Byrne said: “This is a fairly complicated vulnerability. View state is something most people have heard of, but they are not familiar with its inner workings. The tool we're going to release will help reveal those inner workings.

“This is the first time a vulnerability of this nature has been discovered. Until now, developers have had the option of deploying best practices offered by all three framework vendors in how they configure the framework.

“But [some developers] have not taken these recommendations seriously because there were not any specific vulnerabilities associated with them before. Our findings demonstrate that these best practices are there to protect you. Organisations already following them will not be affected by this [type of vulnerability or attack].”

He claimed that the best protection is to encrypt view state so data cannot be read or modified. The research will reveal that Apache MyFaces and Sun Mojarra can be exploited to read session data stored on the server while a user is interacting with a website. Microsoft's ASP.NET has a less-critical vulnerability that could result in a cross-site scripting (XSS) attack.

Byrne told Dark Reading that with a targeted attack, a hacker would be able to steal the user's credentials to do further damage. He said: “View state would be a viable mechanism for a targeted attack.”

See original article on scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
informationmaliciousofsecurityserverstateuseuserview

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
  • Forrester Technology & Innovation Asia Pacific 2022
By SC Australia Staff
Feb 1 2010
1:42PM
0 Comments

Related Articles

  • Collins Foods puts IT focus on security controls, cloud services
  • Australian Red Cross clients potentially caught up in international cyber attack
  • US State Department phones hacked with spyware
  • FBI email infrastructure hijacked to send out fake messages
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation
Researchers hacked Oracle servers to demo serious vulnerability

Researchers hacked Oracle servers to demo serious vulnerability
PayTo rollout kicks off

PayTo rollout kicks off
Australian scientists build world's first quantum computer IC

Australian scientists build world's first quantum computer IC

Digital Nation

The security threat of quantum computing
The security threat of quantum computing
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.