ASP.NET web applications use ViewState in order to maintain a page state and persist data in a web form. The ViewState parameter is a base64 serialised parameter that is normally sent via a hidden parameter called __VIEWSTATE with a POST request. This parameter is deserialized on the server-side to retrieve the data. Due to the nature of serialization, if the user can control and create a valid ViewState, then they can use a deserialization attack to achieve remote code execution on the host.
It enables the server to preserve elements within the user interface across successive requests without needing to maintain all the relevant state information on the server side.
For example, the server may populate a drop-down list on the basis of parameters submitted by the user. When the user makes subsequent requests, the browser does not submit the contents of the list back to the server. However, the browser does submit the hidden ViewState field, which contains a serialized form of the list. The server deserializes the ViewState and recreates the same list that is presented to the user again.
In addition to this core purpose of the ViewState, developers can use it to store arbitrary information across successive requests. For example, instead of saving the product’s price in a hidden form field, an application may save it in the ViewState as follows:
string price = getPrice(prodno);
ViewState.Add(“price”, price);
The form returned to the user now looks something like this:
<form method="post" action="Shop.aspx?prod=3">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE1ODcxNjkwNjIPFgIeBXByaWNlBQMzOTlkZA=="/> Product: HTC
Avalanche <br/>
Price: 399 <br/>
Quantity: <input type="text" name="quantity"/> (Maximum quantity is 50)
<br/>
<input type="submit" value="Buy"/>
</form>
When the user submits the form, her browser sends the following:
POST /shop/76/Shop.aspx?prod=3 HTTP/1.1
Host: mdsec.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
__VIEWSTATE=%2FwEPDwULLTE1ODcxNjkwNjIPFgIeBXByaWNlBQMzOTlkZA%3D%3D&
quantity=1
The request apparently does not contain the product price — only the quantity ordered and the opaque ViewState parameter. Changing that parameter at random results in an error message, and the purchase is not processed. The ViewState parameter is actually a Base64-encoded string that can be easily decoded to see the price parameter that has been placed there:
If the ASP.NET project incorrectly disclosing its web.config containing static keys, it allows for remote code execution. The common cases for exploiting this vulnerability would be if the web application has published it’s static machine keys to GitHub/other public repositories or if the application has a local file inclusion vulnerability that allows the attacker to obtain a copy of the static keys from the web.config file.
It is normally possible to run code on a web server where a valid ViewState can be forged.
This can be done when: