Click here to Skip to main content
15,947,958 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
It is possible to inject arbitrary HTML tags such as
KeYPptCOpRiLl8Nut+OyEi1KENO25Mat5hfECcdE7PQc/+yfdtK/kUF63b/q9jAREVEkPuVpNzjDn706IRbottF+ehOeZSRLIqd7aTQ8k3HYdLDSflNCQ8kA/+Hbpn9iHzoed1tphn2unPnd3SGFY19G6GqvQfdKCwh1WJVH70q43520XPdCOuXXtNrVaIQKkVrdZjOc7UH5ZEDinK/HBLQBmmqsPGm1kelrqZa9cgzuMNBVcduOKLw9xdJCos97kHZg0ZkfZNXQZM40snoRxDBfwunEfzP1gBbWWpdBj/ACybWDuvr3EFGAIJLo+DJjeBCKpM4i/BoeIaYhK6b+ko7nUSXmrzL4zozjCQr9mfkRp+sjK+/uZMac3qGf5FugO0QdHg==vc0d3(2362857338)
into the __VIEWSTATE parameter which results in JavaScript code being executed on error aspx page. This form of Cross-Site Scripting is considered persistent XSS due to the fact that once the injected data is sent to the server, it is stored and persists across requests. This can have varying consequences depending on where and to whom the inserted data is displayed. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.


run time I can see this value for viewstate

What I have tried:

I tried to make it false and true also in aspx page
EnableEventValidation="false" EnableViewState="false"
but issue is not getting fixed in Veracode platform . How can fix it

I tried this also made it True but nothing worked
Posted
Updated 12-Jun-24 0:12am
v2

1 solution

It sounds like you're using an ancient version of .NET Framework - beginning with .NET 4.5.2, released in December 2013, the ViewState field(s) are encrypted and protected with a Message Authentication Code. And a patch released in September 2014 set ASP.NET to ignore the EnableViewStateMac setting and use the ASP.NET 4.5.2 encryption settings in all versions of ASP.NET going back to ASP.NET 1.1.

So if you are still able to tamper with the ViewState, that suggests your server is at least 10 years behind on its security patches. Which means you have much bigger problems to deal with!

Secure ASP.NET ViewState - .NET Blog[^]
 
Share this answer
 
Comments
Thirumadhi T Johnson 12-Jun-24 6:30am    
Hi Richard my application is on asp dot net 4.6.1 only
Richard Deeming 12-Jun-24 6:34am    
Then you cannot tamper with the ViewState in the way you have described. Unless your "error page" is doing something odd, like trying to decode and display the value of the __VIEWSTATE field?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900