Click here to Skip to main content
Click here to Skip to main content

ASP.NET: __VIEWSTATE Bug!

By , 27 Oct 2010
Rate this:
Please Sign up or sign in to vote.
On Asp.net, the hidden Parameter __VIEWSTATE is passed each PostBack,So
if you've misconfigured your site and if a malicious user puts in the url: www.YourWebsite.com/default.aspx?__VIEWSTATE=i am hacker
the site goes down and worse could it be the code of the aspx page.
 

So when you try this on ASP.NET 2.0 WebSite:
 
http://www.YourWebsite.com/default.aspx?__VIEWSTATE=COUCOU!
 
You will have something like this:
 
Server Error in '/' Application. Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine
 
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off"

 

the Solution is to Remove __VIEWSTATE parameter From Request.QueryString
 
protected override void OnInitComplete(EventArgs e)
        {
            base.OnInitComplete(e);
            if (Request.QueryString.ToString().Contains("__VIEWSTATE"))
            {// reflect to readonly
               propertyPropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
                // make collection editable
                isreadonly.SetValue(this.Request.QueryString, false, null);
                // remove
                this.Request.QueryString.Remove("__VIEWSTATE");
                // make collection readonly again
                isreadonly.SetValue(this.Request.QueryString, true, null);
            }
        }

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

kadaoui el mehdi
Architect
Belgium Belgium
in 2005, I started my career. Net and I could improve in this technology through the project WinFroms. Net 2.0 / MVC2 for "Nestle".

After obtaining my diploma MASTER "MBDS" from the University of Nice Sophia Anti-police, I left to Belguim to work as Expert .Net Analyst Developer.

Currently I specialize in architecture Asp.net to the lowest level.

Meanwhile I remain very active in the community. Net, I created the 1st community. Net Morocco "on Facebook and LinkedIn and twitter, called "Morocco .Net User Group (MONUG)"

Comments and Discussions

 
GeneralReason for my vote of 1 "the site goes down" No, that single... PinmemberRichard Deeming2-Nov-10 7:33 
GeneralI think that the best place to do that, it's to create an Ht... Pinmemberkadaoui el mehdi28-Oct-10 6:05 
I think that the best place to do that, it's to create an Http Module for catching and delete "__Viewstate" on Url parameters.
 
i guess on every page, because the Master page it's only for look
GeneralHi Kadaoui Where should this code be place? on every page t... PinmemberAnton Pretorius28-Oct-10 1:06 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.140421.2 | Last Updated 27 Oct 2010
Article Copyright 2010 by kadaoui el mehdi
Everything else Copyright © CodeProject, 1999-2014
Terms of Use
Layout: fixed | fluid