Don’t Trust ViewState

In this blog post by Scott Mitchell, Scott gives a review of the issues brought up by this article, discussing ways in which a page’s ViewState in ASP.net could be used to compromise a site. ViewState is encrypted by default (unless you set EnableViewStateMac to false, which you shouldn’t need to do). If a ViewState is posted to a page that did not encrypt it, the server will throw an error. However, if a ViewState is posted to the same page (perhaps with different querystring parameter settings), the page may accept the posted VIewState and use its data:

The point is, don’t trust view state (or the data that is put there by Web controls, such as the DataGrid). That is, if you have important information, such as pricing data, it’s OK if it is placed in view state (such as in a row in a DataGrid), but don’t grab the pricing data to charge by just poking around the view state (as in programmatically accessing the contents of a DataGrid). Instead, if you need to get pricing information (or any other important bit of information) for the final order processing, it is imperative that you requery the database.

You have been warned.

Tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *