Web application security - the fast guide Chapter 5: Attack Execution - the client | Page 13

View State Attack
Attack requirement:
1. Ability to decrypt the Base64
encoded string in ViewState
hidden value.
2. MAC is disabled which represent a
tampering protection method that
adds a hash with key to view state
value.
Attack process
1. Using a proxy capture a request
containing view state value.
2. Use decoder to decode the value
normally coded as Base64 value
(Burp decoder can be used for
that purpose) this will show the
hidden parameter.
3. Alter the parameter and recode
the ViewState value.
4. Release the request to be served
by the server.
2017-05-10
Send ViewState info
Intercept
request with
Burp
Decode and
extract the
value
Alter the
value and
recode it
resend Altered
request with
privileged value
to sever
Send a privileged response
Web Application Security Fast Guide (book slides)
By Dr.Sami Khiami
Slide 13