Saturday, July 31, 2010

ViewState and Hacking ViewState Data In ASP.NET Beware!!!!!!!!

Asp.net View State help us to retrieve data after Postbacks. But  remember this data is generally not safe as it is simply serialized  and stored in the rendered HTML.

 Suppose  this is the Server Code



protected void Page_Load(object sender, EventArgs e)
    {
        ViewState["password"] = "mypassword";
    }

Its Rendered HTMLis like this




                                                    







U can Decode  View State data Simply like this

   string data = "/wEPDwUKMTQ2OTkzNDMyMQ8WAh4IcGFzc3dvcmQFCm15cGFzc3dvcmRkZBFNlyb3T/zu6sd7uJs/TN9V0e5z";
        string password = System.Text.Encoding.ASCII.GetString(Convert.FromBase64String(data));
        Response.Write(password);

    

So the Result will be Like This

? 1469934321 password mypassworddd M?&?O????{???L?U??


See the data Decode... So Beware Dont Store Important data in ViewState as the it can be easily reteived from the HTML..  You can enable automatic
hash codes to prevent view state tampering, and you can even encrypt view state to prevent it from being decoded

3 comments: