I know there are tools out there that will let you see the content of asp.net viewstate. Is it possible to see and modify the content of viewState if it has been encrypted by adding the <machineKey ... /> node to the web.config?
views:
230answers:
1
+2
A:
Sure. ViewState is simply base64 encoded (unless you specify that it should be encrypted). Here's a link to someone that wrote a ViewState viewer. Here's another by Fritz Onion. You probably will not be able to directly modify the ViewState (i.e. outside of code) because ASP.NET has checks in place to specifically ensure that nothing has tampered with the ViewState. See the EnableViewStateMAC setting for more.
Thomas
2010-04-14 15:31:07
Agree, except the fact that the question is if it is possible to decrypt. Assuming Abe knows what he is talking about he is not talking about the base64 _encoding_ but about an _encrypted_ viewstate which is then encoded using base64. Question is no you cannot decrypt it (thats the whole point) and no you cannot change it, even if you could, the MAC (Message Authentication Code) will fail and the server will reject
Henri
2010-04-15 21:55:26
@Henri - I believe Abe is talking about his own site, not someone else's. If it is your own site and you specify a `decryptionKey` attribute in the `machineKey` element, then you can use the same means to decrypt ViewState as was used to encrypt it (Whether it is base64 encoded before or after it is encrypted I do not know) since you know the key. If you do not specify a `decryptionKey`, then it is auto generated and I doubt there is a means to get that key. You can alter `ViewState` outside of code if you disable `enableViewStateMAC` (which of course, you should never do).
Thomas
2010-04-15 23:15:52
Thanks Henri, that's what I meant. If you want to post that as a an answer I'll accept it.
Abe Miessler
2010-04-19 15:00:55
@Abe Miessler - Do you have the decryption key? If so, then yes, you can decrypt it (you'll have to write code that will do it). Can you modify an encrypted ViewState if you have the encryption key? *If enableViewStateMac is off*, then it is theoretically possible. You would have to decode and decrypt the ViewState, change something, encrypt and encode the data and then reset the ViewState hidden variable.
Thomas
2010-04-19 15:20:13
Very interesting, thanks for the follow up Thomas.
Abe Miessler
2010-04-19 21:49:34