0

I am performing a penetration testing for the first time in a .NET application that instead of providing cookies for session management uses the viewstate hidden field.

I am using the .NET Beautifier plugin in BURP in order to decode the value of the viewstate parameter but it says that it is encrypted and it cannot be decoded.

The ASP.NET version is 4.0.xx. Does this version always encrypt the VIEWSTATE with a key stored in the server? How secure is it?

Anders
  • 64,406
  • 24
  • 178
  • 215
XII
  • 524
  • 1
  • 6
  • 14
  • It will be encrypted with the machine key from the asp net config, unless the server was set up by someone clueless it won't be leaking that config file. t's been along time since i wrote any aspnet but for csrf look at ViewStateUserKey, – iainpb Mar 01 '18 at 12:02

1 Answers1

1

Firstly, VIEWSTATE is a value to control the state of a view, it helps to keep data on view level and prevent Cross-Site Request Forgery (CSRF), in others words, this value is used to authenticate requests - sending data to backend and being sure is a legitimate request - , so it has the following features at least:

  • it's a secure pseudo-random value.
  • it's long.
  • it's unique for every view.

Maybe, you could decode this value, but it is just a pseudo-random value. Now, answering your question: yes, this value is secure, but it should be used to authenticate requests (prevent CSRF), but it shouldn't be used to authenticate users, because one of its feautures is to be unique for every view, then its life time is shorter than a session's life time, so don't confuse the purpose of VIEWSTATE with a session management.

I hope this information helps you.

hmrojas.p
  • 1,049
  • 1
  • 8
  • 16