I am testing a ASP.NET application that uses viewstate and eventvalidation.
I want to use a custom tool written in Ruby which uses the net/http library to authenticate to the application.
This is what the tool is doing:
1. GET /login.aspx
2. POST /login.aspx
1) Get login.aspx and parse response.
2) Send post request to login.aspx with eventvalidation and viewstate from 1.
The above results in an error.
Is there something obvious I am missing here? Most black box web app scanners deal with the application fine. I just can't replicate a valid request on my own.
I have tried URL encoding the viewstate and eventvalidation. Ensured that they are being sent correctly. Sending all cookies with 2 that 1 sets.
Thanks in advance,