From: Debasis Mohanty (debasis@hackingspirits.com)
Date: Sat Jan 14 2006 - 14:56:36 EST
Keith,
There could be two reasons for your test to fail. Like as Moore has already
mentioned, View State is tamper proof if MAC is enabled. Next is, are you
not missing out the Content-Type header while POSTing the data? If you use
the Fiddler http debugging tool this will be one of those small details you
might notice as a difference between your programmatic POST and the browser
POST, and is required for POST to work (especially incase of ASP.NET).
In order to make this work and send the valid Viewstate value to the server,
you will first need to request the form from the server, parse the
Viewstate, and then POST the form back with all other details like
Content-Type etc.
Think about how web scrapping would work incase of fetching data from an
asp.net page.
- D
> -----Original Message-----
> From: Keith Hanson [mailto:seraphimrhapsody@gmail.com]
>
> might know how to do this. I'm currently attempting to override the
> viewstate of a .NET application with my own viewstate, and get the
> application to auto-fill in the values using the Viewstate.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT