I was using Burp Suite to do some security testing on a site and I noticed that when it detects ViewState it will automatically tell you whether it has MAC enabled.
I'm curious if anyone know of a programatic way to determine if MAC is enabled if you are crawling a site without actually attempting to modify the ViewState, submit it and see if anything blows up?
From what I can tell Burp Suite is doing this just by look at the request (and not modifying/submitting).
The "ViewState" is part of the page, as a hidden field value to be sent back to the server. If the ViewState is protected by a MAC then the MAC value is part of it, so it is a matter of extracting the ViewState value from the page, decoding it, and then see if there is a MAC or not. Burp does just that.
ViewState format is not publicly documented (you are not supposed to fiddle with it) but it has been reverse engineered.
ViewStates are basically BASE64 encoded strings. So what you can do is try to decode them with a BASE64 decoder. If it's encrypted you will get some binary content which is not really readable. If no encryption is used you will be able to see the contents. For instance Fiddler2 can assist you in decoding ViewStates in your browser.
Now there is also the option of using a MAC:
If the viewstate has its MAC enabled then there The security of this system lies in the secrecy of the secret key value. This value is always stored on the server, either in memory or in a configuration file (more on this later)—it is never written to the page. Without knowing the key, there would be no way for an attacker to compute a valid view state hash.
from MSDN "View State Security".
You can check this by decoding the VIEWSTATE (if not encrypted) and verify if a 20-byte hash is present at the end of the ViewState structure.
