ASP.NET Public Keys Targeted in ViewState Hack

10 Feb 2025 11:00 am GMT+0000 Date Time

Microsoft Warns Developers About Code Injection Attacks Using Publicly Disclosed ASP.net Keys
Microsoft warned the developers about the risk of using publicly available ASP.net keys, which could make their applications vulnerable to attacks. The company reported instances of attackers attempting to exploit such keys to distribute the malicious framework known as Godzilla. In December 2024, Microsoft researchers uncovered a hacker group utilizing the ASP.net public static key to conduct code injection within HTML pages. The technique involves crossing and coding, where ViewState data is serialized in Base64, encrypted, and signed for protection against tampering. During transfers in queries, the ViewState data is sent back to the server with each request, deserialized, and used to restore the page’s state.

Microsoft Warns Developers About Code Injection Attacks Using Publicly Disclosed ASP.net Keys

Microsoft warned the developers about the risk of using publicly available ASP.net keys, which could make their applications vulnerable to attacks. The company reported instances of attackers attempting to exploit such keys to distribute the malicious framework known as Godzilla.

In December 2024, Microsoft researchers uncovered a hacker group utilizing the ASP.net public static key to conduct code injection within HTML pages. The technique involves crossing and coding, where ViewState data is serialized in Base64, encrypted, and signed for protection against tampering. During transfers in queries, the ViewState data is sent back to the server with each request, deserialized, and used to restore the page’s state.

/Reports, release notes, official announcements.