Since viewstate
is not encrypted by default, the attacker wants to take advantage of a developer??™s
oversight and attempts to learn about the application. To use this tool, he can either point
it at a web page or manually copy the viewstate out of the web page??™s source.
Here??™s how an attacker extracts a viewstate and decodes it:
1. Open the source code of the web page using the browser??™s View Source
command.
2. Search for the string _VIEWSTATE within the page. This should ?¬? nd a hidden
form ?¬? eld.
3. Copy the _VIEWSTATE from the page into the Viewstate String ?¬? eld within
viewstate decoder.
4. Explore the _VIEWSTATE in the tree display on the right side of the decoder.
130 Hacking Exposed Web 2.0
Do Not Place Sensitive Information in the Viewstate
While most of the information in the viewstate will be uninteresting, an attacker can learn
a lot by examining it, including account information or internal system information.
Successful decoding of the viewstate will also indicate whether or not the viewstate has
been encrypted. If sensitive information is stored within the decoded viewstate, a serious
vulnerability results. Since viewstate is part of the page??™s text, it will be transmitted over the
network with each page view and persisted in cache pages.
Pages:
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257