Configuring Machine Key in ASP.NET 3.5 to tamper proof viewState

Security is a major concern when it comes to online transactions like shopping. Today we will learn how to tamper proof your ASP.NET application using element in web.config file. How to protect your sensitive ViewState data and Forms authentication ticket.

By default, ViewState in ASP.NET is encoded and not encrypted as you might feel. ViewState is transmitted to server as a Base64 string and can be easily decoded.Take a look at this if you are interested in decoding stuff and read more about Base64 here.

Encrypting and protecting ViewState: For a tamper proof ViewState a hashed message authentication code (HMAC) is generated from ViewState data which is then compared on subsequent requests. We can make use of element and can encrypt our ViewState using desired encryption mechanisms. Eg, SHA1 , MD5, AES and 3DES. Here is how a element looks but before that we need to set enableViewStateMac=True in our asp.net page as shown below code segment.

<%@ Page  EnableViewStateMac="true" ViewStateEncryptionMode="Auto"  Language="C#" AutoEventWireup="true" CodeBehind="login.aspx.cs" Inherits="Using_SQL_Membership.login" %>

Or you can set it in web.config file as shown below.

enableViewState=True enables hashing of viewstate while you viewStateEncryptionMode takes 3 values. Auto, Always and Never. With viewStateEncryptionMode set to Auto, the page is only encrypted if a control has specifically asked for it by calling the Page.RegisterRequiresViewStateEncryption() method to request encryption. If it set to Always, this forces encryption even if a control does not request it. For performance reasons do not encrypt viewState unless and until it has sensitive data.

1. validationKey: This specifies the key that the HMAC algorithm uses to make ViewState tamper proof.

2.decryptionKey: specifies the key used to encrypt or decrypt data. Also, ASP.NET uses the key only if validation attribute is set to AES or 3DES.

3.validation: specifies the hashing algorithm used to generate HMACs to make ViewState encrypted.

In general, you should choose SHA1 over MD5 for tamper-proofing because this produces a larger hash than MD5 and is considered cryptographically stronger.

Encrypting and protecting Forms Authentication:

To ensure that forms authentication tickets are encrypted and protected against tampering, set the protection attribute of the element to All, as shown

Along with this make same settings to machineKey as shown above.

If you deploy your application in a Web farm, you must ensure that the configuration files on each server share the same value for validationKey and decryptionKey, which are used for hashing and decryption respectively. This is required because you cannot guarantee which server will handle successive requests.

Viewing ASP.NET viewstate with ViewState Decoder
Do you ever wonder what may be inside that asp.net viewstate? As a tester don't you think you should? It's a good thing to wonder about if you care about security. It's possible that the viewstate could contain sensitive user information that could be compromised in a man in the middle attack. For example: A user can input a credit card number into a textbox which would be passed to the next page via the viewstate. Not good... The viewstate is not encrypted by default its just simple Base64 encoding which can easily decoded with cool little tools like ViewState Decoder made by Fritz Onion.

How to add syntax highlighting to Blogger with Alex Gorbatchev's open-source SyntaxHighlighter.

How to display code (nicely) in Blogger posts
I’ve long been envious of all those blogs that show code, nicely formatted and even with line numbers! I finally found out how it’s done.

How to add syntax highlighting to Blogger with Alex Gorbatchev's open-source SyntaxHighlighter.
1.Log into your blogspot account, select the "Layout" tab, and then click "Edit HTML."
2.Click "Download Full Template" to make a backup of your current template.
3.Make a copy of your template, open it in an editor, and find the </head> closing tag. Before that tag, add the following:

<link href='http://alexgorbatchev.com/pub/sh/current/styles/shCore.css' rel='stylesheet' type='text/css'/>

<link href='http://alexgorbatchev.com/pub/sh/current/styles/shThemeDefault.css' rel='stylesheet' type='text/css'/>

<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shCore.js' type='text/javascript'/>

<!-- add brushes here -->

<script type='text/javascript'>

  SyntaxHighlighter.config.bloggerMode = true;

  SyntaxHighlighter.all();

</script>

4.After the comment that says "add brushes here," add the languages you plan to use.
For example, I'm using brushes for Javascript, CSharp, SQL, XML/HTML, and C++:

<!-- add brushes here -->

<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushJScript.js' type='text/javascript'/>

<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushCSharp.js' type='text/javascript'/>

<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushSql.js' type='text/javascript'/>

<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushXml.js' type='text/javascript'/>

<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushCpp.js' type='text/javascript'/>

5.See the full list of supported syntaxes.

6.Save your modified template, and upload it to Blogger (again, under Layout > Edit HTML).

You should now be able to add syntax highlighting to your blog. Wrap your code in a <pre> tag and specify the brush to use in the class attribute. For example, to highlight a block of SQL:

SELECT *

FROM users

WHERE user_id = 1212;

6.If Blogger produces an Error message, saying something like a tag isn't allowed, simply click the checkbox to ignore, and hit Publish Post.

7.All thanks goes to Alex Gorbatchev for creating Syntax Highlighter in the first place. If you want to speed up things, you might want to host the Syntax Highlighter files on your own webspace (such as on a free webhost; just google).

8.If you don't care about fancily presented code and just want the job done, visit the HTML Entities Encoder and simply copy-paste...:)

HAPPY CODING :)