Remember view state? This was the massive kludge of hidden input data in an ASP.NET web forms page which tried to create quasi-persistence between requests in what is otherwise the stateless world of HTTP. Actually saying “was” isn’t that fair as indeed web forms apps make up the vast majority of ASP.NET sites out there today, but Microsoft’s implementation of MVC tends to be viewed as the new shiny thing that many of us have gravitated towards in recent years. That said, when I created my recent Pluralsight course on ASP.NET Security Secrets Revealed
, I must admit to marvelling just a little at some of the tricks view state has up its sleeves.
Moving on, last year I wrote about Understanding (and testing for) view state MAC in ASP.NET web forms
which explained how data in the view state was verified by the server when the browser posts it back using a “Message Authentication Code” or MAC. Incidentally, the context of that post was about not disabling MAC and indeed as I prophesised in that post, Microsoft have just disabled the ability to disable it in .NET 4.5.2
. But the real story in that post with relevance to what I’m about to share here is this: by default, view state is not encrypted and can be read by anyone.