HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 65 guests online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow [SOLVED] Dealing with VIEWSTATE and EVENTVALIDATION in ASP.NET
EH-Net
May 26, 2012, 02:53:59 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: [SOLVED] Dealing with VIEWSTATE and EVENTVALIDATION in ASP.NET  (Read 5409 times)
0 Members and 1 Guest are viewing this topic.
ethicalhack3r
Full Member
***
Offline Offline

Posts: 139


View Profile WWW
« on: March 21, 2011, 10:40:03 AM »
Hi,

I am testing a ASP.NET application that uses viewstate and eventvalidation.

I want to use a custom tool written in Ruby which uses the net/http library to authenticate to the application.

This is what the tool is doing:

1. GET /login.aspx
2. POST /login.aspx

1) Get login.aspx and parse response.
2) Send post request to login.aspx with eventvalidation and viewstate from 1.

The above results in an error.

Is there something obvious I am missing here? Most black box web app scanners deal with the application fine. I just can't replicate a valid request on my own.

I have tried URL encoding the viewstate and eventvalidation. Ensured that they are being sent correctly. Sending all cookies with 2 that 1 sets.

Thanks in advance,
Ryan
« Last Edit: March 21, 2011, 11:34:59 AM by ethicalhack3r » Logged
ethicalhack3r
Full Member
***
Offline Offline

Posts: 139


View Profile WWW
« Reply #1 on: March 21, 2011, 11:34:32 AM »
Problem solved!

VIEWSTATE and EVENTVALIDATION values need to be URL encoded. I thought I had done this before however I wasn't doing it properly.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.388 seconds with 22 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.