ScriptResource error: am I being hacked?

Question

I keep getting errors like this on one of my sites. It tends to happen randomly throughout the day any for periods in the night when I would not expect users on the site.

It is always from different ip addresses

System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at System.Web.UI.Page.DecryptString(String s)

or

System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed. at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo) at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at System.Web.UI.Page.DecryptString(String s)

They happen in this page:

 ScriptResource.axd?d=VVe1O4rzLSI9hB5nRzBXZxUYTQz6ylDTL9djGR

The site users Ajax and runs on .NET 3.

Is this someone trying to hack into the site? Is it an error with the html on the site?

Any ideas?

Answer 1

I believe this error is caused by your ViewState being decrypted using an out-of-date ViewStateUserKey.

Removing these errors is a two-step process:

1. Ensure you have a site-specific validation key. You can use several online resources to generate one for you, such as this one.
2. Ensure the page's ViewStateUserKey is always consistent. From the MSDN documentation:

Setting the ViewStateUserKey property can help you prevent attacks on your application from malicious users. It does this by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. You can set this property to any string value, such as the user's session ID or the user's authenticated name.

You can do this by setting it yourself (perhaps in your Page or base Page's Init event):

if (Session["ViewStateUserKey"] == null)
{
    Session["ViewStateUserKey"] = new Guid().ToString();
}    
this.Page.ViewStateUserKey = Session["ViewStateUserKey"].ToString();

And no, I don't think you're being hacked.