Is it possible to spoof or reuse VIEWSTATE or detect if it is protected from modification?
Posted
by
Peter Jaric
on Stack Overflow
See other posts from Stack Overflow
or by Peter Jaric
Published on 2012-06-18T20:09:30Z
Indexed on
2012/06/19
9:16 UTC
Read the original article
Hit count: 217
Question
ASP and ASP.NET web applications use a value called VIEWSTATE in forms. From what I understand, this is used to persist some kind of state on the client between requests to the web server.
I have never worked with ASP or ASP.NET and need some help with two questions (and some sub-questions):
1) Is it possible to programmatically spoof/construct a VIEWSTATE for a form? Clarification: can a program look at a form and from that construct the contents of the base64-encoded VIEWSTATE value?
1 a) Or can it always just be left out?
1 b) Can an old VIEWSTATE for a particular form be reused in a later invocation of the same form, or would it just be luck if that worked?
2) I gather from http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12 that it is possible to turn on security so that the VIEWSTATE becomes secure from spoofing. Is it possible for a program to detect that a VIEWSTATE is safeguarded in such a way?
2 a) Is there a one-to-one mapping between the occurrence of EVENTVALIDATION values and secure VIEWSTATEs?
Regarding 1) and 2), if yes, can I have a hint about how I would do that? For 2) I am thinking I could base64-decode the value and search for a string that always is found in unencrypted VIEWSTATEs. "First:"? Something else?
Background
I have made a small tool for detecting and exploiting so called CSRF vulnerabilities. I use it to quickly make proof of concepts of such vulnerabilities that I send to the affected site owners. Quite often I encounter these forms with a VIEWSTATE, and these I don't know if they are secure or not.
Edit 1: Clarified question 1 somewhat.
Edit 2: Added text in italics.
© Stack Overflow or respective owner