ViewState and Hacking ViewState Data In ASP.NET Beware!!!!!!!!

Saturday, July 31, 2010

ViewState and Hacking ViewState Data In ASP.NET Beware!!!!!!!!

Asp.net View State help us to retrieve data after Postbacks. But remember this data is generally not safe as it is simply serialized and stored in the rendered HTML.

Suppose this is the Server Code

protected void Page_Load(object sender, EventArgs e)
    {
        ViewState["password"] = "mypassword";
    }

Its Rendered HTMLis like this

U can Decode View State data Simply like this

   string data = "/wEPDwUKMTQ2OTkzNDMyMQ8WAh4IcGFzc3dvcmQFCm15cGFzc3dvcmRkZBFNlyb3T/zu6sd7uJs/TN9V0e5z";
        string password = System.Text.Encoding.ASCII.GetString(Convert.FromBase64String(data));
        Response.Write(password);



So the Result will be Like This

? 1469934321 password mypassworddd M?&?O????{???L?U??

See the data Decode... So Beware Dont Store Important data in ViewState as the it can be easily reteived from the HTML.. You can enable automatic
hash codes to prevent view state tampering, and you can even encrypt view state to prevent it from being decoded

3 comments:

SobinAugust 1, 2010 at 10:30 PM
Very Informative! thanks...
ReplyDelete
Replies
MARTIN K ABRAHAMAugust 2, 2010 at 1:20 AM
Welcome Sobin...
ReplyDelete
Replies
UnknownJune 19, 2012 at 5:31 PM
that's nice, programmer like you is great..
ReplyDelete
Replies

Add comment