Execution of Dormant Server Controls in Unprotected Callbacks
Variants:
Direct
Also Known As:
EodSec
Vector Type:
Attack
Relevance:
Technology Specific
Layer:
Application-Level
Platforms:
ASP.Net, Mono, JSF
Target Type:
Web Application
Affected Mechanisms:
Privilege Validation, Digital Signatures, Web Application Configuration
Invented In:
15/03/2013
Added In:
04/12/2014
Vector Operation Method:
Execute dormant events of invisible or disabled server-side web controls by sending the control name hidden parameter and abusing missing event validation code in a custom callback implementation.
