ASP.Net viewstate

["Kartikeya Puri" <kartikeya.puri () gmail com>]

Hi List,

During a test I came across a new feature that was introduced inot one of
our application Viewstate. Though it adds an overhead to the performance, it
is adds a trivial level of security. As viewstate holds encoded version of
data being posted along with other controls, it makes it tricky to change
query variables. I have been able to decode viewstate using python
decodestring, but only after I have changed URL encoded characters back to
their decoded form. Also so far I had no luck in encoding my strings in
viewstate while submitting the request. Let me draw the scenerio:

request(something.aspx
)-->put_somejunk_input()-->Post_request()--->intercept_request()-->grab_viewstate()-->decode_viewstate()-->Makechanges_viewstate()-->encode_viewstate()-->Post_newvars_with_new_viewstate()

There are a few details which are to be taken care of, like contentlength
*taken care of by livehttpheaders/viewstatedecoder*. Can soemone give me a
pointer regarding the same?

Thanks and Regards,
Kartik

--
Im not under d affluence of incohol as some tinkle peep.Im not half as thunk
as u drink.I fool so feelish and da drunker i stand here da longer i get..

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave