I’m learning ASP.NET now and I am a bit confused by the __VIEWSTATE and __EVENTVALIDATION.
-
Would it be possible to read the value those two items to learn about the internals of the app and possibly manipulate it. For eg. people write that the __VIEWSTATE contains information about the properties of elements that are not sent back through the POSTBACK, like a label for example. Wouldn’t it be possible then to manipulate the value of labels in an app to make it display wrong information?
-
Would it be possible to change the value of __VIEWSTATE with a much larger value so that when it is posted back to the server it adds serious overhead to decompressing and/or decripting the information and thus basically making a DDOS?
Yes it is possible to read the values of the viewstate. It is base64 encoded which does not mean it is encrypted so to read its values all you need to do is convert it from base64 to UTF-8 and you will be able to read its contents. Try it out here for yourself Each control is listed and several of their properties. In regards to manipulating the contents, this is possible but difficult as the contents are validated before being processed on the server end.
Yes its possible, if your site is targeted for an attack and a huge number of large requests were sent with large viewstates then it will have a corresponding effect on the server.
Take a look at the following: