- Viewstate code injection attacks can lead to the execution of the code remotely, warned Microsoft
- Many developers do not generate their own machine keys for Viewstate
- There are thousands of keys accessible to the public
Cybercriminals abuse a weakness in the ASP.NET websites to carry out the malicious code remotely, according to Microsoft’s Team Intelligence, which has published an in -depth analysis of the new method.
In the article, Microsoft explained that threat actors inject malicious code through a method called ViewState Code Injection Attacks.
ViewState is a feature in ASP.NET websites that help remember the user’s input and page settings when the page is updated. He stores this information in a hidden part of the web page so that when the user interacts again with the page, he can recharge the recorded data without losing anything.
Accept the malicious code
It turns out that many developers use machine keys (safety codes designed to protect ViewState data from the website) that they find online, rather than generating theirs. These machine keys aim to prevent the falsification of Viewstate, which follows data on web pages when users interact with them.
However, if developers can find these keys, criminals can also. When they do, they can use them to inject harmful content into Viewstate of a website. Because the machine key is the same as the website that the website is waiting for, the server deciphers and treats the malicious code, allowing attackers to execute their own commands on the server. This can lead to the execution of the remote code, warned Microsoft.
The researchers have found more than 3,000 keys publicly disclosed which can be used in these attacks. In some cases, researchers have added that developers could also push these public keys to their code.
To prevent these attacks, Microsoft advises developers to generate their own machine keys, avoid using default data or accessible to the public and secure sensitive data by encrypting parts of their configuration files.
The upgrade to a more recent version of ASP.NET is also recommended, as is the use of safety features such as the anti-logician digitization interface (AMSI).
Microsoft has also provided instructions on how to delete or replace unsecured machine keys from server configuration files and delete examples of these keys from its public documentation to discourage practice without safety.
