Highest Voted 'viewstate' Questions - IT Security Stack Exchange

9

votes

1 answer

CSRF in ASP.NET

There's this "change password" ASP.NET form that has both event validation and viewstate enabled. There are no specific anti-csrf tokens. From I understanding, in order to execute a successful CSRF attack, an attacker will have to be able to get…

csrf asp.net viewstate

asked Dec 15 '14 at 10:57

user63518

91
2

5

votes

2 answers

_ _ VIEWSTATE to Protect Against CSRF

I am not a .NET developer and I am trying to understand how exactly does __ViewState protect against CSRF/XSRF attacks. I came across the following : security Stack exchange discussion on similar topic and OWASP Guide to CSRF Protection I am a…

csrf asp.net viewstate

asked Nov 18 '14 at 06:48

qre0ct

1,492
3
19
30

5

votes

2 answers

How to determine if ViewState has MAC enabled when crawling a page?

I was using Burp Suite to do some security testing on a site and I noticed that when it detects ViewState it will automatically tell you whether it has MAC enabled. I'm curious if anyone know of a programatic way to determine if MAC is enabled if…

web-application asp.net viewstate

asked Jul 24 '13 at 18:12

Abe Miessler

8,155
10
44
72

4

votes

1 answer

Encrypted view state vulnerable?

While reading up on view state as a possible means to prevent CSRF, I came across this Microsoft Security Bulletin which states: An attacker who successfully exploited this vulnerability could read data, such as the view state, which was…

web-application asp.net viewstate

asked Jul 29 '13 at 17:37

Abe Miessler

8,155
10
44
72

2

votes

2 answers

Is this test enough to proof that the web application is vulnerable to Login CSRF?

SCENARIO: web application which I think is affected by: a self-xss in the profile section of a user. logout CSRF login CSRF Below I described the test I did to check for the last 2 vulnerabilities, I'd appreciate an opinion about their…

web-application csrf iis viewstate

asked Jan 19 '21 at 10:52

Maicake

497
1
3
13

2

votes

1 answer

What is the purpose of the Secret Key in MAC's ViewState ASP.net?

According to what I understand from the ViewState method in ASP.net, when the server generates the ViewState with MAC enabled, he will send it to the client with the MAC computed from the ViewState message in the end of the ViewState. Then, the…

cryptography asp.net viewstate

asked Sep 29 '16 at 11:38

Duke Nukem

687
3
9
20

1

vote

0 answers

Decoding Viewstate of asp page

I already searched for an answer, and saw that the view state should be base64 encoded. However I used fiddler to try and decode it and the answer I get back is a string of strange characters. Here is the original url encoded viewstate portion of…

asp.net decryption viewstate

asked Jul 29 '16 at 01:11

jony

111
2

0

votes

1 answer

How to get session info out of encrypted .NET viewstate?

I am performing a penetration testing for the first time in a .NET application that instead of providing cookies for session management uses the viewstate hidden field. I am using the .NET Beautifier plugin in BURP in order to decode the value of…

session-management .net viewstate

asked Mar 01 '18 at 11:30

XII

524
1
6
14

Questions tagged [viewstate]