Question
ASP and ASP.NET web applications use a value called VIEWSTATE in forms. From what I understand, this is used to save some state on the client between requests to the web server.
I never worked with ASP or ASP.NET and needed some help with two questions (and some additional questions):
1) Is it possible to programmatically cheat / construct VIEWSTATE for a form? Clarification: can a program look at a form and from it construct the contents of the VIEWSTATE value encoded in base64?
1 a) Or can it always be simply ignored?
1 b) Could the old VIEWSTATE for a particular form be reused the next time the same form is called, or just succeed if that worked?
2) From http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12 I can learn that protection can be turned on so that VIEWSTATE becomes protected against spoofing. Is it possible for a program to detect that the VIEWSTATE protection is protected in this way?
2 a) Is there a one-to-one mapping between EVENTVALIDATION and safe VIEWSTATE values?
Regarding 1) and 2), if so, can I talk about how I will do this? For 2) I think I could base64 decode the value and look for a string that is always in plaintext VIEWSTATE. "First:"? Something else?
Background
I made a small tool to detect and exploit the so-called CSRF vulnerabilities. I use it to quickly provide evidence of such vulnerabilities that I send to the respective site owners. Quite often, I come across these forms with VIEWSTATE, and I don't know if they are safe or not.
Edit 1: Clarified Question 1. Several.
Edit 2: Added text in italics.
source share