Net to maintain information about the state of ASP.Net web controls on a
page. For example, it records which items are currently being displayed in a DropDown-
List and which item was last selected. To reduce the amount of memory required by the
server, ASP.Net encodes this data and places it into the page as a hidden form field. The
viewstate is then sent to the server so that the server can render subsequent page views
accurately. Developers can also place custom values into the viewstate to access them
later. By keeping the state on the client, it is easier to write web applications that scale.
Even though viewstate is central to the operation of much within ASP.Net, its
implementation and behavior are poorly documented. This poor documentation and a
general lack of developer understanding provide a potential attack surface for attackers
looking for vulnerabilities in ASP.Net applications.
Viewstate Implementation
ASP.Net places a viewstate blob in each page as a hidden form field. To view a page??™s
viewstate, simply view the source of the page and search for the _VIEWSTATE field ID.
The viewstate is transmitted as a Base64-encoded binary blob. When ASP.Net receives a
viewstate field, it will decode the blob and then deserialize it using the System.
Pages:
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253