Monday, November 14, 2005


ASP.NET's extremely popular __VIEWSTATE functionality provides an automatic, uniform method for storing current state of all webpage "controls" (including form fields, database views, etc), so that user-entered data auto-magically persists and is populated across newly rendered HTML, and so that current selections of displayed database records are cached and do not need to be looked up again after every operation.

The data is by "typically" stored on client side as base64-encoded, hidden POST form field. By default, the field is protected from tampering by being "signed" using SHA1 with machine-specific key and - although not discussed by Microsoft - presumably either target .aspx filename or other file ID parameter.

The ASP.NET's __VIEWSTATE field has been found to be prone to replay attacks as well as denial of service vulnerabilities.

No comments:

Post a Comment