Hacking ViewState for Fun and Profit

25May/084

Hacking ViewState for Fun and Profit

The View State object is stored in a single Base64-encoded string that looks like this:

   1: <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="dDw3NDg2NTI5MDg7Oz4="/>

Becase this value isn't formatted as clear text, many ASP.NET programmers assume that their view state date is encrypted. A clever hacker could reverse-engineer this string and examine your view state data in a matter of seconds.

Here a POC that show how it can be done.

Filename: firenze.aspx.cs

   1: /// ########################################################################################################################   2: /// Tool Name   : Firenze   3: /// Author      : Alessio "nTze" Marziali   4: /// Contact     : alessio@cyphersec.com   5: /// Url:          http://www.cyphersec.com   6: /// Note:         Microsoft ASP.NET is a powerfull web application framework available on the market.   7: ///               It's being used in big enviroments to build robuts and scalable web applications.   8: ///               Unfortunatelly, due to lack of skills, some so called ASP.NET developers are not investing time in security.   9: ///                 10: ///               ASP.NET Security is gettin more and more important due to the fact which it gives it's best on Large  11: ///               Enterprise Web Application scenarios.  12: ///                 13: ///               This tool was born based on the idea to show how reading sensitive informations can be possible  14: ///               on Web-Applications like E-Banks which are implementing ViewState Object.  15: /// ########################################################################################################################  16: using System;  17: using System.Web;  18: using System.Web.UI;  19: using System.Web.UI.HtmlControls;  20: using System.Web.UI.WebControls;  21:    22: /// <summary>  23: /// Hacking ViewState:  24: /// Because isn’t formatted as clear text, many ASP.NET programmers assume that their  25: /// view state data is encrypted. It isn’t. A clever hacker could reverse-engineer this string and examine  26: /// your view state data in a matter of seconds (here how).  27: /// </summary>  28: public partial class _Default : System.Web.UI.Page   29: {  30:     protected void Page_Load(object sender, EventArgs e)  31:     {  32:         Page.Title = "Firenze : ViewState automated hacking tool";  33:         TextBox UITextBox = new TextBox();              // Create a TextBox Item  34:           35:         // Set properties  36:         UITextBox.TextMode = TextBoxMode.MultiLine;  37:         UITextBox.Wrap = true;  38:         UITextBox.Rows = 10;  39:         UITextBox.Width = 300;  40:         UITextBox.ID = "UIViewStateCode1";  41:         UITextBox.CssClass = "viewStateBox";   42:         UITextBox.Text = "ViewState Goes here";  43:    44:         // Show through UIReader1 (PlaceHolder)  45:         UIReader1.Controls.Add(UITextBox);  46:    47:         // UIButton properties  48:         UIButton1.Text = "Decode ViewState";  49:         UIButton1.Width = UITextBox.Width;  50: }  51:    52:     /// <summary>  53:     /// UIButton1_Click Event Handler  54:     /// </summary>  55:     /// <param name="sender">object</param>  56:     /// <param name="e">EventArgs</param>  57:     protected void UIButton1_Click(object sender, EventArgs e)  58:     {  59:         // Check if a TextBox Control exist within the page  60:         TextBox RetriviedControl = null;  61:         try   62:         {  63:             RetriviedControl = (TextBox)Page.FindControl("UIViewStateCode1");  64:             UILiteral.Text = ReadViewState(RetriviedControl.Text);  65:         }  66:         catch (NullReferenceException)  67:         {  68:             UILiteral.Text = "Can find textbox control, giving up..";  69:         }  70:     }  71:       72:     /// <summary>  73:     /// TheViewState contains the view state information.  74:     /// Convert the Base64 string to an ordinary array of bytes  75:     /// representing ASCII characters.  76:     /// </summary>  77:     /// <param name="TheViewState">System.String - ViewState</param>  78:     /// <returns>System.String - Human readeable Code</returns>  79:     protected internal string ReadViewState(string theViewState)  80:     {  81:         string decodedViewState = string.Empty;  82:         try  83:         {  84:             byte[] stringBytes = Convert.FromBase64String(theViewState);                    // Create an Array of bytes         85:             decodedViewState = System.Text.Encoding.ASCII.GetString(stringBytes);           // Enconde 7bit set  86:         }  87:         catch (System.FormatException)  88:         {   89:             return "Sorry, Looks like you were looking for something i can't read";  90:         }  91:         return decodedViewState;  92:     }  93: }

Filename: firenze.aspx

   1: <%@ Page Language="C#" AutoEventWireup="true"  EnableViewState="false" CodeFile="Default.aspx.cs" Inherits="_Default" %>   2: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">   3: <html xmlns="http://www.w3.org/1999/xhtml">   4: <head runat="server">   5: <link rel="Stylesheet" href="Css/StyleSheet.css" type="text/css" />   6:     <title>Hacking My Own ViewState</title>   7: </head>   8: <body>   9:     <form id="form1" runat="server">  10:         <asp:PlaceHolder id="UIReader1" runat="server" /><br /><br />  11:         <asp:Button ID="UIButton1" runat="server" onclick="UIButton1_Click" />  12:         <br /><br />  13:         <asp:Literal ID="UILiteral" runat="server" />  14:     </form>  15: </body>  16: </html>

About Alessio Marziali

Alessio Marziali (MCTS) is a Security Consultant with 9 years of experience developing secure applications with Microsoft .NET in a variety of sectors in UK and Italy. Published technical author with two ASP.NET books currently available for purchase and OWASP Code Crawler Project Leader.

Filed under: .NET, CyberCrime, Hacking Leave a comment

Comments (4) Trackbacks (0) ( subscribe to comments on this post )

Karl
February 11th, 2009 - 02:25

Hello my friend, well I have a question, ’cause I develop in Net and the view state is a good tool to retrieve data in my applications,
do you have any recomendation??
Regards
Karl
nTze
February 11th, 2009 - 21:58

Hello Karl!

Yes few of them.
Depending of the data you are storing keep your viewstate secured (ref: http://msdn.microsoft.com/en-us/library/aa479501.aspx). A first step would be encrypting it using a strong Validation (3DES for example).

Also, from a development and performance prospective also be sure to make a proper use of the viewstate class using it only when it’s needed. Mostly, .NET Controls have the property EnableViewState set to true by default.

Remember; ViewState is something unsecure by default (it can be manipulated by the end user easily). For more secure date transmissions I would recommend using a bespoke implementation.

Cheers!
mxyzplk
November 11th, 2009 - 09:35

dear nTze

I have some project for my university to do some hacking stuff, and my university site is using this viewstate login, I already encrypt the source code and also the viewstate value, but I don’t have any idea for the next step.. can you pls help me little for this?

Regards
nTze
November 11th, 2009 - 14:10

Hi mxyzplk,

I don’t quite get it, if you are after protecting your web application and already had encrypted viewstate then there’s not much to add.

Perhaps you could also use the Health Monitoring that comes with ASP.NET 2.0 onwards in order to tailor an additional level of security.

This is very specific to ViewState tho, in fact using ViewStateFailureAuditEvent will give you the chance to log and programmaticaly respond to such events.