[SOLVED] Dealing with VIEWSTATE and EVENTVALIDATION in ASP.NET

Viewing 1 reply thread
  • Author
    Posts
    • #6212
      ethicalhack3r
      Participant

      Hi,

      I am testing a ASP.NET application that uses viewstate and eventvalidation.

      I want to use a custom tool written in Ruby which uses the net/http library to authenticate to the application.

      This is what the tool is doing:

      1. GET /login.aspx
      2. POST /login.aspx

      1) Get login.aspx and parse response.
      2) Send post request to login.aspx with eventvalidation and viewstate from 1.

      The above results in an error.

      Is there something obvious I am missing here? Most black box web app scanners deal with the application fine. I just can’t replicate a valid request on my own.

      I have tried URL encoding the viewstate and eventvalidation. Ensured that they are being sent correctly. Sending all cookies with 2 that 1 sets.

      Thanks in advance,
      Ryan

    • #38811
      ethicalhack3r
      Participant

      Problem solved!

      VIEWSTATE and EVENTVALIDATION values need to be URL encoded. I thought I had done this before however I wasn’t doing it properly.

Viewing 1 reply thread
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?