Can VIEWSTATE and EVENTVALIDATION be used for research to disrupt the web application?

Question

I am learning ASP.NET now, and __VIEWSTATE and __EVENTVALIDATION are a little confused.

Is it possible to find out the meaning of these two elements, to learn about the internal components of the application and, possibly, to manipulate it. E.g. people write that __VIEWSTATE contains information about the properties of elements that are not sent back via POSTBACK, for example, as a shortcut. Is it then impossible to manipulate the value of labels in the application so that it displays incorrect information?
Is it possible to change the __VIEWSTATE value with a much larger value so that when sending back to the server it adds serious overhead for decompressing and / or defragmenting information and, thus, mainly creating DDOS?

+5

user552400 Mar 09 '11 at 8:28

3 answers

+1

Simeon 09 . '11 8:37

0

D-Bar Mar 09 '11 at 8:39

SecretDeveloper · Accepted Answer · 2011-03-09T08:42:25+0000

Yes, you can read the viewstate values. It is encoded by base64, which does not mean that it is encrypted, so to read its values all you have to do is convert it from base64 to UTF-8 and you can read its contents. Try it here for yourself. Each control is listed and several of its properties. As for the manipulation of content, this is possible, but difficult, since the content is checked before being processed on the server.
Yes, it is possible if your site is aimed at attacking, and a huge number of large requests were sent with a large view, then it will have a corresponding effect on the server.

Take a look at the following:

Can __VIEWSTATE and __EVENTVALIDATION be used for research to disrupt the web application?