Why not attack web forms applications by handing in your own value for ViewState which is just passed around as a hidden type input? When the encrypted stuff gets unencrypted... surprise! I'm not sure what to do about this yet. Per this you may prevent a CSRF (cross-site request forgery) attack by checking against something kept in Session. I guess you can also try to look at who bumped into you at a web form's code behind like this:
System.Uri whereWasI = Request.UrlReferrer;
string whereExactlyWasI = whereWasI.OriginalString;
cheesy/sleazy
No comments:
Post a Comment