Penetration Testing mailing list archives
RE: Spoofing .NET ViewState (overview)
From: "Debasis Mohanty" <debasis () hackingspirits com>
Date: Sun, 15 Jan 2006 01:26:36 +0530
Keith, There could be two reasons for your test to fail. Like as Moore has already mentioned, View State is tamper proof if MAC is enabled. Next is, are you not missing out the Content-Type header while POSTing the data? If you use the Fiddler http debugging tool this will be one of those small details you might notice as a difference between your programmatic POST and the browser POST, and is required for POST to work (especially incase of ASP.NET). In order to make this work and send the valid Viewstate value to the server, you will first need to request the form from the server, parse the Viewstate, and then POST the form back with all other details like Content-Type etc. Think about how web scrapping would work incase of fetching data from an asp.net page. - D
-----Original Message----- From: Keith Hanson [mailto:seraphimrhapsody () gmail com] might know how to do this. I'm currently attempting to override the viewstate of a .NET application with my own viewstate, and get the application to auto-fill in the values using the Viewstate.
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Spoofing .NET ViewState (overview) Evans, Arian (Jan 14)
- RE: Spoofing .NET ViewState (overview) Debasis Mohanty (Jan 14)