As penetration testers, there are many different technologies that we have to be familiar with. The more we know and understand about a given technology, the better our test will be for our customers. ASP.Net is no exception. A recent post “ViewState XSS: What’s the Deal?” found at (http://www.jardinesoftware.net/2012/09/17/viewstate-xss-whats-the-deal/) provides good insight into an attack vector used against ASP.Net’s View State functionality. The post demonstrates how an attacker/tester can test for cross-site scripting vulnerabilities by tampering with the view state parameter. As the post indicates, there are a lot of factors that go into this attack vector. The information provided can help determine if this attack vector may be possible.
The full post can be found at: http://www.jardinesoftware.net/2012/09/17/viewstate-xss-whats-the-deal/