ASP.NET: __VIEWSTATE Bug!

On Asp.net, the hidden Parameter __VIEWSTATE is passed each PostBack,So
if you've misconfigured your site and if a malicious user puts in the url: www.YourWebsite.com/default.aspx?__VIEWSTATE=i am hacker
the site goes down and worse could it be the code of the aspx page.


So when you try this on ASP.NET 2.0 WebSite:

http://www.YourWebsite.com/default.aspx?__VIEWSTATE=COUCOU!

You will have something like this:

Server Error in '/' Application. Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine

Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off"


the Solution is to Remove __VIEWSTATE parameter From Request.QueryString

protected override void OnInitComplete(EventArgs e)
        {
            base.OnInitComplete(e);
            if (Request.QueryString.ToString().Contains("__VIEWSTATE"))
            {// reflect to readonly
               propertyPropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
                // make collection editable
                isreadonly.SetValue(this.Request.QueryString, false, null);
                // remove
                this.Request.QueryString.Remove("__VIEWSTATE");
                // make collection readonly again
                isreadonly.SetValue(this.Request.QueryString, true, null);
            }
        }