Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to decode EventValidation and ViewState in ASP.NET?

Tags:

asp.net

decode

viewstate

How to decode the ASP.NET EventValidation and ViewState?

like image 609
Zanoni Avatar asked Jul 07 '09 14:07

Zanoni

People also ask

Is ViewState encrypted by default?

This means that knowing the validation key and its algorithm is enough to exploit a website. It seems ViewState is encrypted by default since version 4.5 even when the viewStateEncryptionMode property has been set to Never .

What is __ ViewStateGenerator asp net?

Usage of the ViewStateGenerator parameter When the __VIEWSTATEGENERATOR parameter is known, it can be used for the ASP.NET applications that use . NET Framework version 4.0 or below in order to sign a serialised object without knowing the application path.

What is ViewState MAC in asp net?

The ViewState is a parameter specific to the ASP.NET framework, it's used as a breadcrumb trail when the user navigates the application preserving values and controls between different web pages. Present on the pages in the __viewstate parameter, all the values are serialized and encoded in base64 in a hidden field.

What is the parameter that is checked for insecure Deserialization vulnerability in ASP .NET websites?

We understand that the Bearer token is the vulnerable parameter; theoretically, whatever JSON data we send to it should be parsed.

3 Answers

I answered a similar question recently, Getting values from viewstate using JQuery?.

Basically, by default ViewState is just Base64-encoded, so you can decode it as long as the administrator hasn't configured the site to encrypt it. Quoting from my previous answer:

If you are writing the control for your own consumption and you only need to read from ViewState, you could do so, but I wouldn't recommend it unless you find a well-debugged library to parse it for you. The format is a bit hairy (see ViewState: All You Wanted to Know for more details).

That link provides an extremely thorough and clear introduction to ViewState.

As for Event Validation, I'm unsure whether it's Base64-encoded or if it just looks like Base64 (I can't find a conclusive, authoritative reference). This Rexiology article might help though.

like image 53
Jeff Sternal Avatar answered Oct 09 '22 23:10

Jeff Sternal

I'm not sure about EventValidation, but you can decode ViewState by using Fritz Onion's ViewState Decoder.

like image 30
Bob Mc Avatar answered Oct 09 '22 22:10

Bob Mc

I needed to decode ViewStates recently and found this tool useful: View State decoder

like image 34
syntagma Avatar answered Oct 09 '22 23:10

syntagma
Sign in to Comment

Related questions

Unit testing Entity Framework with Mock IDbSet
SignalR: how to enforce authentication/terminate hub connections server side
Missing assemblies in default project templates
MVC 5: Custom AuthorizeAttribute and Caching
Using optional complex type action parameter for a POST Web API
How to reduce password reset token length in Asp.Net Identity?
How to convert .PNG image to tiles for Bing or Google Maps with ASP.NET?
Using Handler to keep track of files
IIS URL Rewrite - with multiple domains
Set Session object inside a WebMethod (using EnableSession = true) not storing value
How do we log authentication token requests in ASP.NET Web API
UriBuilder fail to encode UriBuilder registered sign
IIS Dynamic IP restrictions in web.config location
SYBASE ODBC .Net CORE
ASP.NET Core 2.0 Dynamic Authentication
Error when a Quartz job runs with "Object Reference not set to an instance of an object"
EFCore - How to have multiple navigation properties to the same type?
Getting OData Count in ASP.NET Core WebAPI
Do I need to copy the .compiled files to the production server?
What happens when a user closes their browser waiting for a long running web service call?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!