- developers can disable ViewState entirely, so it lacks central control (kind of like ripping out your firewalls and hoping everyone has an up-to-date and securely configured desktop firewall instead)
- There are some issues with the mechanism working over load-balanced connections or across IIS app pools where session IDs are likely not shared.
- Most importantly, the ViewState MAC is only checked on POSTback, so if you have apps that don't use POSTbacks, you are still vulnerable.
ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery - KeepItLocked.net
No comments:
Post a Comment