Errata Inspired by Wednesday's DotNet SIG

by John Lansdale

Chuck’s DotNet SIG was especially fun this month. We studied (played with) Microsoft’s new Visual Studio 2008. During the meeting several side topics came up which interested me enough to do some homework on the side.

Does Microsoft's Flash-alike Silverlight work in all modern browsers and platforms? I found it works in Firefox but not any browser running on Linux. You get the Silverlight “plug-in” at http://www.microsoft.com/silverlight/ but the download is for Microsoft only. (I didn’t try the Mac). Looks like most of the world, including the billion kids in the $100 laptop movement, will be left out. I think that as nice as Silverlight might be I wouldn’t use it in any long lasting applications just yet.

While looking at Visual Studio 2008 Professional Edition that Chuck brought, we had observed it came with SQL Server 2005 Express but without any of the management tools (For you PHP/MySQL developers this is window's sophisticated equivalent of phpmyadmin). We didn’t have time in the meeting to look, but you can get this free. It's: Microsoft SQL Server 2005 Express Edition with Advanced Services which Includes SQL Server Management Studio Express. (You can get very functional Express editions of VS 2008 too).

While looking for the SQL Server sample database Adventure works Chuck showed us another very good web site, www.codeplex.com which is Microsoft's effort to compete with SourceForge.net. There's a lot of cool, free stuff there, including my favorite type of application, Content Management Systems. There was some code for linking Flight Simulator X to Google Earth too. That’s got to be fun. I bet you could simulate crashing a plane into your own house.

We spent a little time looking at the hidden field in ASP.NET web pages called view state. It’s the way Microsoft preserves state between visits from client to server. Cookies work too. We wondered how it worked with Ajax.

But my mind drifted to something I discovered a couple of years ago in PHP called base64 encoding. ViewState strings looked very much the same as base64 which is used to transport binary data in ASCII format.

A little research at home confirmed this was true. To be sure, I wrote a little PHP program to decode and encode strings in base64 format to check it out. It worked. I wrote another program in ASP.NET C# that encoded strings into base64 so I could check Microsoft’s Base64 is the same as PHP’s. (See listings 1 and 2 and their outputs. Note ABC became QUJD in both. Larger strings work too).

Then I tried to display an ASP.NET page source and cut/paste the ViewState field into my PHP decoder for decoding. But it gave back unreadable characters! At first I thought this was an error but then I realized the decoded data was binary which obviously doesn’t show as text. In addition I read mixed in there’s a language/format of its own for describing what the data is.

For a good explanation of ViewState see Fritz Onion’s blog about “ViewState Encoding in ASP.NET 2.0”.

Program 1. Base64 encoder/decoder in PHP

<?php

$uncoded = $_POST['uncoded'];
$decoded = $_POST['decoded'];
if ($_POST['encode']) {
  $decoded = base64_encode($uncoded);
}
if ($_POST['decode']) {
  $uncoded = base64_decode($decoded);
}
                 
?>
<html>
<body>
<div align="center">
<h2>Encoding Master</h2>
<form  method="POST">
<div>
Uncoded: <textarea rows="4" cols="30" 
name="uncoded" ><?=$uncoded; ?></textarea>
<input type=submit name="encode" value = "encode">
</div>
<div>
Decoded: <textarea rows="4" cols="30" 
name="decoded" > <?=$decoded; ?></textarea>
<input type=submit name="decode" value = "decode">
</div>
</div>
</body>
</html>

Program 2. Base64 (and SHA5 hash) encoder in C#

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Security.Cryptography;

public partial class _Default : System.Web.UI.Page 
{
  protected void Button1_Click(object sender, EventArgs e)
  {
    // Learn hashing
    System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding();
    byte[] b = enc.GetBytes(inputString.Text);
    
    MD5 h5 = new MD5CryptoServiceProvider();
    // SHA512 h5 = new SHA512Managed();
    h5.ComputeHash( b );
    hHere.Text = Convert.ToBase64String(h5.Hash);
    
    h64.Text = Convert.ToBase64String(b, Base64FormattingOptions.None);
    
    int iHash = inputString.Text.GetHashCode();
  }
}

An important tip for developers I learned from this exercise is that although DotNet ViewState looks secure it’s not. Base64 may not be human readable but it can easily be converted to readable data by anyone.

John Lansdale, MCP