Viewing ASP.NET viewstate with ViewState Decoder

Do you ever wonder what may be inside that viewstate? As a tester don't you
think you should? It's a good thing to wonder about if you care about security. It's
possible that the viewstate could contain sensitive user information that could be
compromised in a man
in the middle attack
. For example: A user can input a credit card number into
a textbox which would be passed to the next page via the viewstate. Not good... The
viewstate is not encrypted by default its just simple Base64 encoding which can
easily decoded with cool little tools like ViewState
 made by Fritz Onion. The viewstate is found in the page source
and can easily found by searching for the text "ViewState". The search will lead you
to a value that looks like this:

<input type="hidden" name="__VIEWSTATE"

value="dDwxNDg5OTk5MzM7Oz7DblWpxMjE3ATl4Jx621QnCmJ2VQ==" />

If you take the value and paste it into the Frit's ViewState Decoder you
can make it human readable:

Let's say you find an issue with sensitive data being passed in the viewstate; the
fix is to make the viewstate tamper-proof and encrypt it. The following is an excerpt
from Microsoft on how to do that:


A hashcode will not secure the actual data within the ViewState
field, but it will greatly reduce the likelihood of someone tampering with ViewState
to try to spoof your application, that is, posting back values that your
application would normally prevent a user from inputting.

You can instruct ASP.NET to append a hashcode to the ViewState
field by setting the EnableViewStateMAC attribute:

<%@Page EnableViewStateMAC=true %>

EnableViewStateMAC can be set at the page or application
level. Upon postback, ASP.NET will generate a hashcode for the ViewState data and
compare it to the hashcode store in the posted value. If they don't match, the ViewState
data will be discarded and the controls will revert to their original settings.

By default, ASP.NET generates the ViewState hashcode using
the SHA1 algorithm. Alternatively, you can select the MD5 algorithm by setting <machineKey>
in the machine.config file as follows:

<machineKey validation="MD5" />


You can use encryption to protect the actual data values
within the ViewState field. First, you must set EnableViewStatMAC="true" , as above.
Then, set the machineKey validation type to 3DES . This
instructs ASP.NET to encrypt the ViewState value using the Triple DES symmetric encryption

<machineKey validation="3DES" />

You can get more details on viewstate in this article
from Microsoft