viewstate – WindowsTechs.com

Is this test enough to proof that the web application is vulnerable to Login CSRF?

Posted on January 19, 2021 by Maicake

SCENARIO:
web application which I think is affected by:

a self-xss in the profile section of a user.
logout CSRF
login CSRF

Below I described the test I did to check for the last 2 vulnerabilities, I’d appreciate an opinion about their c… Continue reading Is this test enough to proof that the web application is vulnerable to Login CSRF?→

How to correctly decode __VIEWSTATE if is unencrypted?

Posted on August 25, 2020 by Maicake

I’m manually testing a web application. When I read __VIEWSTATE fields they seem to be encoded in base64. I tried to decode them using
http://viewstatedecoder.azurewebsites.net/
anyway this message appears

32 byte(s) left over, perhaps an… Continue reading How to correctly decode __VIEWSTATE if is unencrypted?→

How to correctly decode __VIEWSTATE if is unencrypted?

Posted on August 25, 2020 by Maicake

32 byte(s) left over, perhaps an… Continue reading How to correctly decode __VIEWSTATE if is unencrypted?→

How to get session info out of encrypted .NET viewstate?

Posted on March 1, 2018 by XII

I am performing a penetration testing for the first time in a .NET application that instead of providing cookies for session management uses the viewstate hidden field.

I am using the .NET Beautifier plugin in BURP in order … Continue reading How to get session info out of encrypted .NET viewstate?→