A quick look on ASP.NET viewstate

December 1 / 2015

Viewstate is a cool mechanism in ASP.NET platform to maintain information supplied from the client-side. Every input will be submitted to the server with POST method by default. Some HTML input objects will contain javascript function calling back to the server as it is shown below.

00
01 function __doPostBack(eventTarget, eventArgument) {
02 if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
03 theForm.__EVENTTARGET.value = eventTarget;
04 theForm.__EVENTARGUMENT.value = eventArgument;
05 theForm.submit();
06 }

This mechanism could prevent CSRF(Cross-Site Request Forgery) attack implicitly. You have to write quite a few lines of code in PHP, if you want to prevent this kind of attack. However, viewstate is a trade-off between performance and security. Thus, disable viewstate on the page or on the objects you don’t need. Enable it only whenever you need it. Use viewstate wisely.

Disable Viewstate
1. website level

In web.config, change enableViewState to false under system.web tag.

00
01 <pages enableViewState=”false”></pages>

Whatever you change the properties of the control you use, the server could not maintain viewstate value.

  • Result –> Not maintain
  • Even the control was set as:

EnableViewState = True
ViewStateMode = Inherit,Enable

2.page level
Modify the target page with,

00
01 <%@ Page Language=”C#” AutoEventWireup=”true”
02 CodeFile=”YOURCODE.aspx.cs” Inherits=”XXXX_Stage”
03 EnableViewState=”false” %>

Whatever you set the control, viewstate won’t work.

  • Result –> Not maintain
  • Even the control was set as:

EnableViewState = True
ViewStateMode = Inherit,Enable

3.control level
Bear in mind that the setting inherit viewstate’s configuration from above levels by default. Website–>Page–>Control

  • Result –> maintain

EnableViewState = True
ViewStateMode = Enable

  • Result –> not maintain

EnableViewState = True,False
ViewStateMode = Disable

Tested on:
Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…