Question

ASP and ASP.NET web applications use a value called VIEWSTATE in forms. From what I understand, this is used to persist some kind of state on the client between requests to the web server.

I have never worked with ASP or ASP.NET and need some help with two questions (and some sub-questions):

1) Is it possible to programmatically spoof/construct a VIEWSTATE for a form? Clarification: can a program look at a form and from that construct the contents of the base64-encoded VIEWSTATE value?

1 a) Or can it always just be left out?

1 b) Can an old VIEWSTATE for a particular form be reused in a later invocation of the same form, or would it just be luck if that worked?

2) I gather from http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12 that it is possible to turn on security so that the VIEWSTATE becomes secure from spoofing. Is it possible for a program to detect that a VIEWSTATE is safeguarded in such a way?

2 a) Is there a one-to-one mapping between the occurrence of EVENTVALIDATION values and secure VIEWSTATEs?

Regarding 1) and 2), if yes, can I have a hint about how I would do that? For 2) I am thinking I could base64-decode the value and search for a string that always is found in unencrypted VIEWSTATEs. “First:”? Something else?

Background

I have made a small tool for detecting and exploiting so called CSRF vulnerabilities. I use it to quickly make proof of concepts of such vulnerabilities that I send to the affected site owners. Quite often I encounter these forms with a VIEWSTATE, and these I don’t know if they are secure or not.

Edit 1: Clarified question 1 somewhat.

Edit 2: Added text in italics.