All geek questions in one place

Fake __EVENTVALIDATION on Microsoft Ajax

I am developing a mobile application to view your schedule. They do not provide an API and do not intend to create it.

A website can only work with Ajax, however, in order to fake these requests and clear the website, I need to fake the __EVENTVALIDATION post field.

I have no control over the site, and I have never built anything using ASP.NET or Microsoft Ajax.

Has anyone done this?

I found that the __EVENTVALIDATION field has this pattern ( ... symbolizes the bytes changed depending on the request, hexdump in the decoded base64 version):

  d8 01 16 13 02 4f 0a
 ...
 f6 e0 84 d4 05 02 a0 3f
 e2 3f 03 02 3f d8 d1 d5 0c 02 bb 82 cf ec 08 02
 b4 b5 99 f8 0b 02 3f 89 3f eb 04 02 d5 83 90 88
 0a 02 8a db 94 90 03 02 8b cf 3f 85 08 02 93 3f
 b1 3f 06 02 9b 3f 8f a5 02 02 b5 b4 af 85 01 02
 d1 fc ae 9c 0e 02 b4 e2 94 9e 0a 02 3f e2 94 9e
 0a 02 3f e2 94 9e 0a 02 bb 92 80 a5 06
 ...
+4
source share
2 answers

I already considered this problem when creating a scraper for ASP.NET sites. You need to request the start page on which the browser user will usually load, extract the hash __VIEWSTATE and __EVENTVALIDATION , then use them when creating the second request for the data you need.

For example, if you clear the response from the form:

  • make an AJAX request for the page where the form is located.
  • extract status and event hashes from the response
  • create a new AJAX request that simulates submitting a form by passing hashes as parameters

If you are looking for JavaScript functions to extract hashes from markup, I published the ones I use as ms-viewstate on GitHub.

+8
source

__EVENT VALIDATION is security .

The function prevents unauthorized requests sent by potentially malicious users from the client. To ensure that each postback and callback event comes from the expected user interface elements, the page adds an extra layer of event checking. The page basically matches the contents of the request with the information in the __EVENTVALIDATION field, to make sure that no additional input field is added on the client computer, and this value is selected in a list that was already known on the server. The page generates a field for checking events during rendering - this is at the very last moment when the information is available. Like the state of a view, the event verification field contains a hash value to prevent client-side falsification.

The hash value is based on a server level key. Thus, you cannot replicate this hash - more precisely, if you did this without access to the server, I think you found a security hole.

REF: MSDN

+1
source

Source: https://habr.com/ru/post/1443103/

More articles:


All Articles