locked
Decrypting a viewstate RRS feed

  • Question

  • User-200562162 posted

    I'd like to automate an ASP.NET app via the REST API. The viewstate for this app seems to be encrypted however -- I can't decode with UTF-8 because it encounters invalid characters (see gibberish characters below), but if I decode with Latin-1 I  get something along the lines of this:

    527 (OFFICE)dd+ 12800528 (OFFICE) Science - 12 - SC : 528 (OFFICE)dd+ 12801529 (OFFICE) Science - 12 - SC : 529 (OFFICE)dd+ 12802530 (OFFICE) Science - 12 - SC : 530 (OFFICE)dd+ 12803531 (OFFICE) Science - 12 - SC : 531 (OFFICE)dd+ 12804532 (OFFICE) Science - 12 - SC : 532 (OFFICE)dd+ 12805533 (OFFICE) Science - 12 - SC : 533 (OFFICE)dd+ 12806534 (OFFICE) Science - 12 - SC : 534 (OFFICE)dd+ 12807535 (OFFICE) Science - 12 - SC : 535 (OFFICE)dd+ 12808536 (OFFICE) Science - 12 - SC : 536 (OFFICE)dd+ 12809537 (OFFICE) Science - 12 - SC : 537 (OFFICE)dd+ 12810538 (OFFICE)

    Some information is visible, but I'm assuming the reason for the gibberish characters is encryption. There's obviously some way to decrypt and encrypt the viewstate clientside or else the client wouldn't be able to communicate with the server, but I haven't figured out how just yet. Is there some sort of decryption key provided when I log into the site? If so, once I have it, how can I use it to decrypt/encrypt the view state?

    Tuesday, April 18, 2017 6:54 PM

All replies

  • User475983607 posted

    ViewState is encrypted by the machinekey configuration node.  By default the machine key is auto generated when the application starts.

    https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx

    However, you should not need to decrypt ViewState, just be sure to send the hidden field on each POST. 

    Tuesday, April 18, 2017 7:48 PM
  • User-200562162 posted

    "https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx"

    Thanks for linking that -- I think I've found it:

    <div class="aspNetHidden">

    <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="BC4C7964" />
    <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAJIBnU5NNCP5yBJMit7XgBRIVeIE2RuCdEuNNlq6O ... ==" />
    </div>

    "just be sure to send the hidden field on each POST. "


    I'll be doing this through Python, and I'd prefer not to simulate the app to be able to do this. Ideally I'd get the keys when initially loading the app, would decrypt and decode the initial state, would make changes to the state value manually, and then encode and encrypt before sending back to the server.

    Tuesday, April 18, 2017 9:41 PM
  • User475983607 posted

    I'll be doing this through Python, and I'd prefer not to simulate the app to be able to do this.

    The Python script must simulate a browser not an app. 

    Ideally I'd get the keys when initially loading the app, would decrypt and decode the initial state, would make changes to the state value manually, and then encode and encrypt before sending back to the server

    View state is part of the ASP Web Forms framework.  Its purpose is to persist the state of server controls between post backs.  I can't think of a single use case for updating view state on a client. 

    Below is an overview of view state.  Make sure that you understand technology before your go down this path.  

    https://msdn.microsoft.com/en-us/library/ms972976.aspx

    Tuesday, April 18, 2017 10:25 PM