[Dailydave] ASP.Net viewstate
Kartikeya Puri
kartikeya.puri at gmail.com
Tue Sep 12 04:20:44 EST 2006
Hi List,
During a test I came across a new feature that was introduced inot one of
our application Viewstate. Though it adds an overhead to the performance, it
is adds a trivial level of security. As viewstate holds encoded version of
data being posted along with other controls, it makes it tricky to change
query variables. I have been able to decode viewstate using python
decodestring, but only after I have changed URL encoded characters back to
their decoded form. Also so far I had no luck in encoding my strings in
viewstate while submitting the request. Let me draw the scenerio:
request(something.aspx
)-->put_somejunk_input()-->Post_request()--->intercept_request()-->grab_viewstate()-->decode_viewstate()-->Makechanges_viewstate()-->encode_viewstate()-->Post_newvars_with_new_viewstate()
There are a few details which are to be taken care of, like contentlength
*taken care of by livehttpheaders/viewstatedecoder*. Can soemone give me a
pointer regarding the same?
Thanks and Regards,
Kartik
--
Im not under d affluence of incohol as some tinkle peep.Im not half as thunk
as u drink.I fool so feelish and da drunker i stand here da longer i get..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20060912/851fd5ac/attachment.htm
More information about the Dailydave
mailing list