.

[SOLVED] Dealing with VIEWSTATE and EVENTVALIDATION in ASP.NET

<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Mon Mar 21, 2011 10:40 am

[SOLVED] Dealing with VIEWSTATE and EVENTVALIDATION in ASP.NET

Hi,

I am testing a ASP.NET application that uses viewstate and eventvalidation.

I want to use a custom tool written in Ruby which uses the net/http library to authenticate to the application.

This is what the tool is doing:

1. GET /login.aspx
2. POST /login.aspx

1) Get login.aspx and parse response.
2) Send post request to login.aspx with eventvalidation and viewstate from 1.

The above results in an error.

Is there something obvious I am missing here? Most black box web app scanners deal with the application fine. I just can't replicate a valid request on my own.

I have tried URL encoding the viewstate and eventvalidation. Ensured that they are being sent correctly. Sending all cookies with 2 that 1 sets.

Thanks in advance,
Ryan
Last edited by ethicalhack3r on Mon Mar 21, 2011 11:34 am, edited 1 time in total.
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Mon Mar 21, 2011 11:34 am

Re: Dealing with VIEWSTATE and EVENTVALIDATION in ASP.NET

Problem solved!

VIEWSTATE and EVENTVALIDATION values need to be URL encoded. I thought I had done this before however I wasn't doing it properly.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software