Fake __EVENTVALIDATION in Microsoft Ajax

Question

I am in the progress of making a mobile App for a website to view your schedule. They don't provide any API and has no intention to make one.

The website can only function with Ajax, however to fake these requests and scrape the website I need to fake the __EVENTVALIDATION post field.

I have no control whatsoever over the website and I have never built anything using ASP.NET or Microsoft Ajax.

Has anyone done this?

I have found that the __EVENTVALIDATION field has this pattern (... symbolises bytes changed depending on the request, hexdump of the base64 decoded version):

d8 01 16 13 02 4f 0a
...
f6 e0 84 d4 05 02 a0 3f
e2 3f 03 02 3f d8 d1 d5 0c 02 bb 82 cf ec 08 02
b4 b5 99 f8 0b 02 3f 89 3f eb 04 02 d5 83 90 88
0a 02 8a db 94 90 03 02 8b cf 3f 85 08 02 93 3f
b1 3f 06 02 9b 3f 8f a5 02 02 b5 b4 af 85 01 02
d1 fc ae 9c 0e 02 b4 e2 94 9e 0a 02 3f e2 94 9e
0a 02 3f e2 94 9e 0a 02 bb 92 80 a5 06
...                                  

Answer 1

I've dealt with this problem before in building scrapers for ASP.NET sites. You need to request the initial page that the browser user would ordinarily land on, extract the __VIEWSTATE and __EVENTVALIDATION hashes then use these in making the second request for the data which you actually need.

For example, if you're scraping the response from a form submission:

1. make an AJAX request for the page that the form is on
2. extract the viewstate and event validation hashes from the response
3. make a new AJAX request that simulates form submission, passing the hashes as parameters

If you're looking for JavaScript functions to extract the hashes from markup, I've published the ones I use as ms-viewstate on GitHub.

Answer 2

__EVENTVALIDATION is a security measure.

The feature prevents unauthorized requests sent by potentially malicious users from the client. To ensure that each and every postback and callback event originates from the expected user interface elements, the page adds an extra layer of validation on events. The page basically matches the contents of the request with the information in the __EVENTVALIDATION field to verify that no extra input field has been added on the client and that value is selected on a list that was already known on the server. The page generates the event validation field during rendering-that is at the last possible moment when the information is available. Like the view state, the event validation field contains a hash value to prevent client-side tampering.

The hash value is based on a key at the server level. So you cannot replicate that hash - or rather, if you did, without access to the server, I guess you found a security hole.

REF: MSDN