Web application security - the fast guide 1.1 | Page 99
Chapter 5 - Attack Execution the client
P a g e | 99
5.12 Attack ViewState
Send ViewState info
Intercept
request
with Burp
Decode
and extract
the value
Alter the
value and
recode it
resend Altered
request with
privileged value
to sever
Send a privileged response
Figure 38: Altering ViewState
ViewState is a method to preserve state information when submitting a form to
keep the form contents after postback, it supports adding any extra information
to it using the expression:
ViewState[“Key”]= value;
Attacker might try to alter a Viewstate encrypted value passed as hidden field
Attack requirement:
Ability to decrypt the Base64 encoded string in ViewState hidden value.
MAC is disabled which represent a tampering protection method that
adds a hash with key to view state value.
Attack process
A. Using a proxy capture a request containing view state value.
B. Use decoder to decode the value normally coded as Base64 value (Burp
decoder can be used for that purpose) this will show the hidden
parameter.
C. Alter the parameter and recode the ViewState value.
D. Release the request to be served by the server.
Example:
This example shows how to retrieve ViewState information with (Burp) :
1- Intercept the request containing for the page containing ViewState
information.
2- Open ViewState tabulation you can see a tree based structure showing
ViewState information.