Viewing ASP.NET viewstate with ViewState Decoder
Viewing ASP.NET viewstate with ViewState Decoder
Submitted by Brent Strange on Tue, 07/03/2006 - 06:12.Do you ever wonder what may be inside that asp.net viewstate? As a tester don't you think you should? It's a good thing to wonder about if you care about security. It's possible that the viewstate could contain sensitive user information that could be compromised in a man in the middle attack. For example: A user can input a credit card number into a textbox which would be passed to the next page via the viewstate. Not good... The viewstate is not encrypted by default its just simple Base64 encoding which can easily decoded with cool little tools like ViewState Decoder made by Fritz Onion. The viewstate is found in the page source and can easily found by searching for the text "ViewState". The search will lead you to a value that looks like this:
<input type="hidden" name="__VIEWSTATE"
value="dDwxNDg5OTk5MzM7Oz7DblWpxMjE3ATl4Jx621QnCmJ2VQ==" />
If you take the value and paste it into the Frit's ViewState Decoder you can make it human readable:
Let's say you find an issue with sensitive data being passed in the viewstate; the fix is to make the viewstate tamper-proof and encrypt it. The following is an excerpt from Microsoft on how to do that:
|
Tamper-Proofing
A hashcode will not secure the actual data within the ViewState field, but it will greatly reduce the likelihood of someone tampering with ViewState to try to spoof your application, that is, posting back values that your application would normally prevent a user from inputting. You can instruct ASP.NET to append a hashcode to the ViewState field by setting the EnableViewStateMAC attribute: <%@Page EnableViewStateMAC=true %>EnableViewStateMAC can be set at the page or application level. Upon postback, ASP.NET will generate a hashcode for the ViewState data and compare it to the hashcode store in the posted value. If they don't match, the ViewState data will be discarded and the controls will revert to their original settings. By default, ASP.NET generates the ViewState hashcode using the SHA1 algorithm. Alternatively, you can select the MD5 algorithm by setting <machineKey> in the machine.config file as follows: <machineKey validation="MD5" /> Encryption You can use encryption to protect the actual data values within the ViewState field. First, you must set EnableViewStatMAC="true" , as above. Then, set the machineKey validation type to 3DES . This instructs ASP.NET to encrypt the ViewState value using the Triple DES symmetric encryption algorithm. <machineKey validation="3DES" /> |
You can get more details on viewstate in this article from Microsoft.