Title: [SOLVED] Dealing with VIEWSTATE and EVENTVALIDATION in ASP.NET
Post by: ethicalhack3r on March 21, 2011, 10:40:03 AM
I am testing a ASP.NET application that uses viewstate and eventvalidation.
I want to use a custom tool written in Ruby which uses the net/http library to authenticate to the application.
This is what the tool is doing:
1. GET /login.aspx
2. POST /login.aspx
1) Get login.aspx and parse response.
2) Send post request to login.aspx with eventvalidation and viewstate from 1.
The above results in an error.
Is there something obvious I am missing here? Most black box web app scanners deal with the application fine. I just can't replicate a valid request on my own.
I have tried URL encoding the viewstate and eventvalidation. Ensured that they are being sent correctly. Sending all cookies with 2 that 1 sets.
Thanks in advance,
Title: Re: Dealing with VIEWSTATE and EVENTVALIDATION in ASP.NET
Post by: ethicalhack3r on March 21, 2011, 11:34:32 AM
VIEWSTATE and EVENTVALIDATION values need to be URL encoded. I thought I had done this before however I wasn't doing it properly.