Is it possible to spoof or reuse VIEWSTATE or detect if it is protected from modification?

Question

Question

ASP and ASP.NET web applications use a value called VIEWSTATE in forms. From what I understand, this is used to persist some kind of state on the client between requests to the web server.

I have never worked with ASP or ASP.NET and need some help with two questions (and some sub-questions):

1) Is it possible to programmatically spoof/construct a VIEWSTATE for a form? Clarification: can a program look at a form and from that construct the contents of the base64-encoded VIEWSTATE value?

1 a) Or can it always just be left out?

1 b) Can an old VIEWSTATE for a particular form be reused in a later invocation of the same form, or would it just be luck if that worked?

2) I gather from http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12 that it is possible to turn on security so that the VIEWSTATE becomes secure from spoofing. Is it possible for a program to detect that a VIEWSTATE is safeguarded in such a way?

2 a) Is there a one-to-one mapping between the occurrence of EVENTVALIDATION values and secure VIEWSTATEs?

Regarding 1) and 2), if yes, can I have a hint about how I would do that? For 2) I am thinking I could base64-decode the value and search for a string that always is found in unencrypted VIEWSTATEs. "First:"? Something else?

Background

I have made a small tool for detecting and exploiting so called CSRF vulnerabilities. I use it to quickly make proof of concepts of such vulnerabilities that I send to the affected site owners. Quite often I encounter these forms with a VIEWSTATE, and these I don't know if they are secure or not.

Edit 1: Clarified question 1 somewhat.

Edit 2: Added text in italics.

Answer 1

Is it possible to programmatically spoof/construct a VIEWSTATE for a form?

Sure. It's just a Base64 encoded value. Now, since ASP.NET 2.0 there has been an option where the viewstate can be encrypted by the Machine Key, but that is an opt-in feature. Generally, you don't want to be putting anything private in the view state in the first place.

Or can it always just be left out?

Some of ASP.NET's plumbing requires ViewState, turning it off completely is rather difficult if you still want to use the ASP.NET Server Controls.

Can an old VIEWSTATE for a particular form be reused in a later invocation of the same form, or would it just be luck if that worked?

That's called a replay attack

Yes, it is possible. Here is a blog post demonstrating it.

Is there a one-to-one mapping between the occurrence of EVENTVALIDATION values and secure VIEWSTATEs?

Not really. Event Validation is basically used to ensure that the client side event matches a "possible" event that could have happened on the server. It mostly protects and ensure that hidden inputs like __EVENTTARGET haven't been tampered with.