- ViewState -Ocode injection attacks can lead to the execution of remote code, Microsoft warned Microsoft
- Many Devs do not generate their own machine keys to Viewstate
- There are thousands of publicly available keys that cyber criminals can use
Cyber criminals abuse a weakness on ASP.NET site to be distant to perform malicious code, according to Microsoft’s threat information team, which has published an in-depth analysis of the new method.
In the article, Microsoft threatened threat players injected malicious code through a method called ViewState Code Injection attack.
ViewState is a feature on ASP.NET -Webares that help remember user input and page settings when the page is updated. It stores this information in a hidden part of the website so that when the user interacts with the page again, they can reload the stored data without losing anything.
Accepting malicious code
It turns out that many developers use machine keys (security codes designed to protect the site’s viewstate data), which they find online, rather than generating their own. These machine keys are intended to prevent manipulation with viewstate that tracks data on web pages when users interact with them.
But if developers can find these keys, criminals can too. When they do, they can use them to inject harmful content into a site’s viewstate. Because the machine key is the same as the one the site expects, decrypt and processes the server the malicious code, allowing attackers to run their own commands on the server. This can lead to the execution of remote code, warned Microsoft.
The researchers found more than 3,000 publicly revealed keys that can be used in these attacks. In some cases, the researchers added that developers may unconsciously push these public keys into their code.
To prevent these attacks, Microsoft advises developers to generate their own machine keys, avoid using standard or publicly available data and securing sensitive data by encrypting parts of their configuration files.
Upgrading to a newer version of ASP.NET is also recommended as well as using security features such as Antimalware Scan Interface (AMSI).
Microsoft also provided instructions on how to remove or replace the uncertain machine keys from the server’s configuration files and removed examples of these keys from its public documentation to deter the uncertain practice.
