ViewState XSS: What's the Deal?

Secure Ideas
Author: Secure Ideas

As penetration testers, there are many different technologies that we have to be familiar with.  The more we know and understand about a given technology, the better our test will be for our customers.  ASP.Net is no exception.  A recent post “ViewState XSS: What’s the Deal?” found at ( provides good insight into an attack vector used against ASP.Net’s View State functionality.  The post demonstrates how an attacker/tester can test for cross-site scripting vulnerabilities by tampering with the view state parameter.  As the post indicates, there are a lot of factors that go into this attack vector.  The information provided can help determine if this attack vector may be possible.

The full post can be found at:

Join the professionally evil newsletter