![]() ![]() ASP.NET validates the MAC that is submitted together with the _VIEWSTATE payload when a postback occurs. To prevent this kind of tampering attack, the _VIEWSTATE field is protected by a message authentication code (MAC). If an attacker submitted a malicious _VIEWSTATE payload, the attacker could potentially trick the application into performing an action that it otherwise would not have performed. See the ASP.NET View State Overview topic on the Microsoft Developer Network (MSDN) website for a much more detailed overview of the ASP.NET view state.īecause the _VIEWSTATE field contains important information that is used to reconstruct the page on postback, make sure that an attacker cannot to tamper with this field. If a user clicks the button, the Button_Click event handler will be able to extract the Button's text from the view state field. One example of an item that might be stored in the _VIEWSTATE field is the text of a Button control. The HTML markup for the _VIEWSTATE field resembles the following: ![]() View state is information that is round-tripped between WebForms (.aspx) pages in an ASP.NET application.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |