禁用視圖狀態 (View State) 消息 authentication 檢查 (MAC) 會使攻擊者修改視圖狀態 (View State)。
在 ASP.NET 中,視圖狀態 (View State) 是在回發過程中維持 Web 表單中的狀態的一種方法。存儲在視圖狀態 (View State) 中的數據不值得信任,因為無法阻止 replay 攻擊。在禁用了視圖狀態 (View State) 消息 authentication 檢查后,信任視圖狀態會特別危險。如果禁用該檢查,那么攻擊者將對存儲在視圖狀態 (View State) 中的數據進行任意更改,并使信任視圖狀態 (View State) 的代碼容易受到攻擊。攻擊者可能會利用這種錯誤攻擊 authentication 檢查,或者改變項目價格。
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration
[3] Michal Zalewski ASP.NET __VIEWSTATE crypto validation prone to replay attacks
[4] Standards Mapping - FIPS200 - (FISMA) CM
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 353
[6] Scott on Writing Don't Trust ViewState
[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[10] Understanding ASP.NET View State Microsoft