In an asp.net web form application that uses the 4.0 framework, we set ViewStateUserKey to a unique value to prevent a cross-site request forgery vulnerability.
We recently failed a vulnerability test because the tester said that he could not "observe" the existence of this in the html source. I was hoping I could just decode the ViewState and see the ViewStateUserKey, but alas, when I decode the state of the view (using the Fiddler2 ViewState inspector or one of the online decoder sites like http://ignatu.co.uk/ViewStateDecoder.aspx ) I do not see ViewStateUserKey. I can see the values in the view mixed with a bunch of gibberish, but the ViewStateUserKey view itself seems to be encoded in gibberish.
For example, here is a decoded view (using the Fiddler2 ViewState inspector) for a page with one DropDownList with 4 values (Text1, Text2, Text3, Text4), you can see the values mixed with gibberish:
-1665646599dfddddfText11gText22gText33gText44gddd?"H~E* =91 ; O! ; O B g
Here is the same page where the ViewStateUserKey is set to the static value "cat" (I understand that the ViewStateUserKey is useless when the static value is set).
-1665646599dfddddfText11gText22gText33gText44gddd Gpb c uy l F3 > h ~
The mascot at the end of the viewstate has changed; it seems that ViewStateUserKey is hidden in gibberish. But is there a way to prove this with a vulnerability tester?
Please note that if I set enableViewStateMAC to false (which of course will never be in production), I get different gibberish, but I still don't see ViewStateUserKey in the html source.
source
share