Skip to content

View State

View State

On Websites that use ASP.NET the view state is used to control properties and variables of the page. This information is embedded in the webpage and is sent back to the server on requests. Usually only in POST requests.

Information in the View state includes:
- EventValidation: checks the incoming values in a POST to ensure the values are known, good values.
- ViewStateUserKey: Add a session ID to the view state to protect against CSRF.
- ValidateAntiForgeryToken: Requires all POST forms to have a CSRF token
- ViewStateMac: MAC used to prevent modification of the data.
- ViewStateEncryption: If set used to encrypt the viewstate.

Obtaining a Machine Key

https://notsosecure.com/project-blacklist3r/

Blacklist3r: If the application uses pre-shared machine key
Directory Traversal attack to get access to web.config file
Information Disclosure

Exploiting ViewState Deserialization

https://github.com/hacktics/vehicle