How EnableViewStateMAC Makes ViewState Secure

By -

How EnableViewStateMAC Makes ViewState Secure ?
The ASP.NET ViewState is a client side state management mechanism. The ViewState is stored in a hidden field with an ID __VIEWSTATE. Typically, stored ViewState information looks like:
image
ViewState value looks likes an encrypted string. This is nothing but a Base64 encoded string, and is not an encrypted string. So it can be easily decoded.
The main reasons for using Base64 encoding are as follows:
  1. Base64 makes a string suitable for HTTP transfers
  2. It makes it a little harder to read
But people often get confused that this is an encrypted string.
Let us try to decode the string using ViewState Decoder (a nice tool created by Fritz Onion).
image
After decoding the string, we can see the exact data that is stored inside the ViewState. 
You can write a few lines of code to decode the text and you will get the actual View State information.
image
By default, ViewState is serialized into a Base-64 encoded string. On postback, the ViewState information is loaded and reapplied to the persisted state of the control in the control hierarchy.
You can make sure that the ViewState information is tamper-proof by using “hash codes”. You can do this by adding EnableViewStateMAC=true in your page directive. MAC stands for “Message Authentication Code”.
image
When we use EnableViewStateMac="True", during ViewState save, ASP.NET internally uses a hash code. This hash code is a cryptographically strong checksum. This is added with the ViewState content and stored in a hidden filed. During postback, the checksum data is verified again by ASP.NET. If there is a mismatch, the postback will be rejected.
image


Sagar S Bhanushali

Comments

Post a Comment

Popular posts from this blog

All Google Hacking Keyword - New Updated

By -
                      All Google Hacking Keywords It's not so hard, you just type 1 of these lines into the search bar at www.google.com . Then you'll get several links with secret information about different hompages, for example: admin passwords for ftps, ventrilo servers etc. "admin account info" filetype:log !Host=*.* intext:enc_UserPassword=* ext:pcf "# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd "AutoCreate=TRUE password=*" "http://*:*@www" domainname "index of/" "ws_ftp.ini" "parent directory" "liveice configuration file" ext:cfg -site:sourceforge.net "parent directory" +proftpdpasswd " Duclassified" -site:duware.com "DUware All Rights reserved" " duclassmate" -site:duware.com " Dudirectory" -site:duware.com " dudownload" -site:duware.com ...
Read more

Free Email IDs - List 1

By -
poohpool@signet.com  meixin_kok@hotmail.com  ngai_nicole@hotmail.com  isabelle_gal@hotmail.com  michelle-878@hotmail.com  valerietan98@gmail.com  remuskan@hotmail.com  genevieve.goh@hotmail.com  poonzheng5798@yahoo.com  burgergirl96@hotmail.com  insyirah_powergals@hotmail.com  little_princess-angel@hotmail.com  ifah_duff@hotmail.com  tweety_butt@hotmail.com  choco_ela@hotmail.com  princessdyanah@hotmail.com  isabelle_gal@hotmail.com  choco_ela@hotmail.com  tweety_butt@hotmail.com  emotionallady_94@hotmail.com  weiheng1998@yahoo.com.sg  nas_wify011005@hotmail.com  issabelle_gal@hotmail.com  zihah_lovepurple@hotmail.com  adeline-98@hotmail.com  ifah_duff@hotmail.com  fionachiwei@hotmail.com  frens_luv_sad_hatred@hotmail.com  clara1_wong@hotmail.com  burgergirl96@gmail.com  princess_dyanah@hotmail.com  a_q...
Read more