ViewState introduction

Whenever we encounter applications using technology, ViewState Deserialization always come to mind as it is an inherent flaw in the technology itself. However, this technique cannot be used against the application that we are testing as we need to get hold of the decryption keys and validation keys found in web.config. Usually in a remote attack scenario, it will require a directory traversal vulnerability or local file inclusion vulnerability to disclose the machine keys. Even having these vulnerabilities might not guarantee success since system administrators might have adopt best practices to encrypt the machine key section of the web.config.

Zac Tee

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store