Penetration Testing mailing list archives

RE: Spoofing .NET ViewState (overview)


From: "Debasis Mohanty" <debasis () hackingspirits com>
Date: Sun, 15 Jan 2006 01:26:36 +0530

Keith, 

There could be two reasons for your test to fail. Like as Moore has already
mentioned, View State is tamper proof if MAC is enabled. Next is, are you
not missing out the Content-Type header while POSTing the data? If you use
the Fiddler http debugging tool this will be one of those small details you
might notice as a difference between your programmatic POST and the browser
POST, and is required for POST to work (especially incase of ASP.NET).

In order to make this work and send the valid Viewstate value to the server,
you will first need to request the form from the server, parse the
Viewstate, and then POST the form back with all other details like
Content-Type etc. 

Think about how web scrapping would work incase of fetching data from an
asp.net page.

- D 


-----Original Message-----
From: Keith Hanson [mailto:seraphimrhapsody () gmail com]

might know how to do this. I'm currently attempting to override the 
viewstate of a .NET application with my own viewstate, and get the 
application to auto-fill in the values using the Viewstate.



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


Current thread: