SlideShare une entreprise Scribd logo
1  sur  18
Télécharger pour lire hors ligne
Introduction to ASP.NET ViewState
- By Dhiraj Ranka (NII Consulting)
HTTP Protocol
• Stateless 
• Uses cookies, sessions to maintain state
• Where is ViewState in picture?
ASP.NET Page life cycle
• verifying file access rights
• resurrecting the user's session state
(HTTP modules)
Page Life Cycle events
View State
• persist state across post backs
• store name and value pairs
• “What sort of state needs to be persisted?”
• in instantiation stage, control hierarchy is
created
• For example,
<asp:Label runat="server" Font-Name="Verdana" Text="Hello,
World!"></asp:Label>
The View State Property
• Every control can stores its state
• Example
public string NavigateUrl
{
get {
string text = (string) ViewState["NavigateUrl"];
if (text != null)
return text;
else
return string.Empty;
}
set {
ViewState["NavigateUrl"] = value;
}
}
• whenever a control's property is read, the
control's ViewState is consulted
Storing Information in the Page's
ViewState Property
• persist page-specific and user-specific
information across postbacks
• Code would look like
– ViewState[keyName] = value
• example - creating a pageable, sortable DataGrid
• sort expression must be persisted across
postbacks
The Cost of View State
• Nothing comes for free, and view state is no
exception
• two performance hits for every request
– In save view state control hierarchy is saved in base-
64 encoded string which is emitted in “__VIEWSTATE”
hidden form field and in load view state the same is
decoded and control hierarchy is updated
– extra size to the Web page. Some times for view state-
heavy pages can be tens of kilobytes 
Enabling/Disabling ViewState
• At control level
– <asp:Label EnableViewState=“false”…></asp:Label>
• At individual page level
– <%@Page EnableViewState="False" %>
– Page.EnableViewState = false;
• At site/application level (in web.config)
– <pages enableViewState="true">
View State and Security Implications
• Its nothing but base-64 encoded string
• Attacker can easily decode it, manipulate and
encode back before sending it
Prevention
• Tamper proofing
• Encryption
• The ViewStateUserKey Property
Tamper Proofing
• Use a machine authentication check, or MAC
• It ensure that the data received by a computer
is the same data that it transmitted
• hashing the view state data and appending
this hash to the end of the view state
• When post back occurs it checks to ensure
that the appended hash matches up with the
hashed value
• default hashing algorithm used is SHA1 (MD5)
Generic Error
Encryption
• To encrypt the view state, set the
<machineKey> element's validation attribute
in the machine.config file to 3DES
– Can be SHA1, MD5, AES
• the <machineKey> element contains
validationKey and decryptionKey attributes
• validationKey attribute for MAC
• decryptionKey attribute for 3DES
• Default values are “AutoGenerate,IsolateApp”
Concerns with Encryption
• Previous settings works fine with single web
server
• In web farm, it's vital that all Web servers use
the same keys for MAC and/or encryption and
decryption
• Use shared key among all web servers
The ViewStateUserKey Property
• Must be assigned a string value in initialization
stage(Page_Init event)
• User-specific value as username, but can be
guessable
• Recommended value is SessionID
• Code would look this (Page_Init event)
– Page.ViewStateUserKey = Session.SessionID;
• Attacker(Evil Bob) requests a page
• Server salting ViewState hash
using attacker’s username(Evil
Bob)
• Attacker tricks Normal user(Alice)
to request server passing in his
view state
• Web server notices that Alice’s
ViewStateUserKey(“Alice”)
doesn’t match up with the
appended key (“Evil bob”) –
Exception is thrown
Thank you

Contenu connexe

Tendances (20)

Basics of JavaScript
Basics of JavaScriptBasics of JavaScript
Basics of JavaScript
 
Validation Controls in asp.net
Validation Controls in asp.netValidation Controls in asp.net
Validation Controls in asp.net
 
Autoboxing and unboxing
Autoboxing and unboxingAutoboxing and unboxing
Autoboxing and unboxing
 
Php array
Php arrayPhp array
Php array
 
Java script
Java scriptJava script
Java script
 
ASP.NET Web form
ASP.NET Web formASP.NET Web form
ASP.NET Web form
 
Ajax
AjaxAjax
Ajax
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
Bootstrap
BootstrapBootstrap
Bootstrap
 
Java Servlets
Java ServletsJava Servlets
Java Servlets
 
Introduction to JavaScript Basics.
Introduction to JavaScript Basics.Introduction to JavaScript Basics.
Introduction to JavaScript Basics.
 
Java programming lab manual
Java programming lab manualJava programming lab manual
Java programming lab manual
 
JAVA AWT
JAVA AWTJAVA AWT
JAVA AWT
 
Document Object Model
Document Object ModelDocument Object Model
Document Object Model
 
Introduction to spaCy
Introduction to spaCyIntroduction to spaCy
Introduction to spaCy
 
Java Notes by C. Sreedhar, GPREC
Java Notes by C. Sreedhar, GPRECJava Notes by C. Sreedhar, GPREC
Java Notes by C. Sreedhar, GPREC
 
Advance Java Topics (J2EE)
Advance Java Topics (J2EE)Advance Java Topics (J2EE)
Advance Java Topics (J2EE)
 
Bootstrap ppt
Bootstrap pptBootstrap ppt
Bootstrap ppt
 
Form Validation in JavaScript
Form Validation in JavaScriptForm Validation in JavaScript
Form Validation in JavaScript
 
Ajax Ppt 1
Ajax Ppt 1Ajax Ppt 1
Ajax Ppt 1
 

En vedette

ASP.NET MVC4 Overview
ASP.NET MVC4 OverviewASP.NET MVC4 Overview
ASP.NET MVC4 OverviewMahmoud Tolba
 
State Management In ASP.NET And ASP.NET MVC
State Management In ASP.NET And ASP.NET MVCState Management In ASP.NET And ASP.NET MVC
State Management In ASP.NET And ASP.NET MVCjinaldesailive
 
ASP.NET Page life cycle and ViewState
ASP.NET Page life cycle and ViewStateASP.NET Page life cycle and ViewState
ASP.NET Page life cycle and ViewStateMindfire Solutions
 
ASP.NET MVC Presentation
ASP.NET MVC PresentationASP.NET MVC Presentation
ASP.NET MVC Presentationivpol
 
MVC ppt presentation
MVC ppt presentationMVC ppt presentation
MVC ppt presentationBhavin Shah
 
Introduction to ASP.NET MVC
Introduction to ASP.NET MVCIntroduction to ASP.NET MVC
Introduction to ASP.NET MVCKhaled Musaied
 
ASP.NET MVC Presentation
ASP.NET MVC PresentationASP.NET MVC Presentation
ASP.NET MVC PresentationVolkan Uzun
 

En vedette (9)

Asp.net mvc
Asp.net mvcAsp.net mvc
Asp.net mvc
 
ASP.NET MVC4 Overview
ASP.NET MVC4 OverviewASP.NET MVC4 Overview
ASP.NET MVC4 Overview
 
State Management In ASP.NET And ASP.NET MVC
State Management In ASP.NET And ASP.NET MVCState Management In ASP.NET And ASP.NET MVC
State Management In ASP.NET And ASP.NET MVC
 
ASP.NET Page life cycle and ViewState
ASP.NET Page life cycle and ViewStateASP.NET Page life cycle and ViewState
ASP.NET Page life cycle and ViewState
 
ASP.NET MVC Presentation
ASP.NET MVC PresentationASP.NET MVC Presentation
ASP.NET MVC Presentation
 
MVC ppt presentation
MVC ppt presentationMVC ppt presentation
MVC ppt presentation
 
Introduction to ASP.NET MVC
Introduction to ASP.NET MVCIntroduction to ASP.NET MVC
Introduction to ASP.NET MVC
 
Model View Controller (MVC)
Model View Controller (MVC)Model View Controller (MVC)
Model View Controller (MVC)
 
ASP.NET MVC Presentation
ASP.NET MVC PresentationASP.NET MVC Presentation
ASP.NET MVC Presentation
 

Similaire à Introduction to ASP.Net Viewstate

State management in ASP.NET
State management in ASP.NETState management in ASP.NET
State management in ASP.NETOm Vikram Thapa
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive Smita Raut
 
State management 1
State management 1State management 1
State management 1singhadarsh
 
ASP.Net Presentation Part3
ASP.Net Presentation Part3ASP.Net Presentation Part3
ASP.Net Presentation Part3Neeraj Mathur
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Simple blog wall creation on Java
Simple blog wall creation on JavaSimple blog wall creation on Java
Simple blog wall creation on JavaMax Titov
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
Java EE 8 security and JSON binding API
Java EE 8 security and JSON binding APIJava EE 8 security and JSON binding API
Java EE 8 security and JSON binding APIAlex Theedom
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scalatakezoe
 
sakdjfhaksjfhaskjh
sakdjfhaksjfhaskjhsakdjfhaksjfhaskjh
sakdjfhaksjfhaskjhelodiaevie
 
salkdjfhdjkghdfkjh
salkdjfhdjkghdfkjhsalkdjfhdjkghdfkjh
salkdjfhdjkghdfkjhelodiaevie
 
aksdfhaskdjfhasdjkh
aksdfhaskdjfhasdjkhaksdfhaskdjfhasdjkh
aksdfhaskdjfhasdjkhelodiaevie
 
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdfaskldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdfelodiaevie
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 

Similaire à Introduction to ASP.Net Viewstate (20)

State management in ASP.NET
State management in ASP.NETState management in ASP.NET
State management in ASP.NET
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
 
State management 1
State management 1State management 1
State management 1
 
ASP.Net Presentation Part3
ASP.Net Presentation Part3ASP.Net Presentation Part3
ASP.Net Presentation Part3
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Simple blog wall creation on Java
Simple blog wall creation on JavaSimple blog wall creation on Java
Simple blog wall creation on Java
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Java EE 8 security and JSON binding API
Java EE 8 security and JSON binding APIJava EE 8 security and JSON binding API
Java EE 8 security and JSON binding API
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scala
 
awergaezrg
awergaezrgawergaezrg
awergaezrg
 
sakdjfhaksjfhaskjh
sakdjfhaksjfhaskjhsakdjfhaksjfhaskjh
sakdjfhaksjfhaskjh
 
salkdjfhdjkghdfkjh
salkdjfhdjkghdfkjhsalkdjfhdjkghdfkjh
salkdjfhdjkghdfkjh
 
aergserga
aergsergaaergserga
aergserga
 
aksdfhaskdjfhasdjkh
aksdfhaskdjfhasdjkhaksdfhaskdjfhasdjkh
aksdfhaskdjfhasdjkh
 
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdfaskldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
 
sergaerwga
sergaerwgasergaerwga
sergaerwga
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 

Plus de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
20200723_insight_release_plan
20200723_insight_release_plan20200723_insight_release_plan
20200723_insight_release_planJamie (Taka) Wang
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 

Dernier (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20200723_insight_release_plan
20200723_insight_release_plan20200723_insight_release_plan
20200723_insight_release_plan
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 

Introduction to ASP.Net Viewstate

  • 1. Introduction to ASP.NET ViewState - By Dhiraj Ranka (NII Consulting)
  • 2. HTTP Protocol • Stateless  • Uses cookies, sessions to maintain state • Where is ViewState in picture?
  • 3. ASP.NET Page life cycle • verifying file access rights • resurrecting the user's session state (HTTP modules)
  • 5. View State • persist state across post backs • store name and value pairs • “What sort of state needs to be persisted?” • in instantiation stage, control hierarchy is created • For example, <asp:Label runat="server" Font-Name="Verdana" Text="Hello, World!"></asp:Label>
  • 6. The View State Property • Every control can stores its state • Example public string NavigateUrl { get { string text = (string) ViewState["NavigateUrl"]; if (text != null) return text; else return string.Empty; } set { ViewState["NavigateUrl"] = value; } } • whenever a control's property is read, the control's ViewState is consulted
  • 7. Storing Information in the Page's ViewState Property • persist page-specific and user-specific information across postbacks • Code would look like – ViewState[keyName] = value • example - creating a pageable, sortable DataGrid • sort expression must be persisted across postbacks
  • 8. The Cost of View State • Nothing comes for free, and view state is no exception • two performance hits for every request – In save view state control hierarchy is saved in base- 64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated – extra size to the Web page. Some times for view state- heavy pages can be tens of kilobytes 
  • 9. Enabling/Disabling ViewState • At control level – <asp:Label EnableViewState=“false”…></asp:Label> • At individual page level – <%@Page EnableViewState="False" %> – Page.EnableViewState = false; • At site/application level (in web.config) – <pages enableViewState="true">
  • 10. View State and Security Implications • Its nothing but base-64 encoded string • Attacker can easily decode it, manipulate and encode back before sending it
  • 11. Prevention • Tamper proofing • Encryption • The ViewStateUserKey Property
  • 12. Tamper Proofing • Use a machine authentication check, or MAC • It ensure that the data received by a computer is the same data that it transmitted • hashing the view state data and appending this hash to the end of the view state • When post back occurs it checks to ensure that the appended hash matches up with the hashed value • default hashing algorithm used is SHA1 (MD5)
  • 14. Encryption • To encrypt the view state, set the <machineKey> element's validation attribute in the machine.config file to 3DES – Can be SHA1, MD5, AES • the <machineKey> element contains validationKey and decryptionKey attributes • validationKey attribute for MAC • decryptionKey attribute for 3DES • Default values are “AutoGenerate,IsolateApp”
  • 15. Concerns with Encryption • Previous settings works fine with single web server • In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption • Use shared key among all web servers
  • 16. The ViewStateUserKey Property • Must be assigned a string value in initialization stage(Page_Init event) • User-specific value as username, but can be guessable • Recommended value is SessionID • Code would look this (Page_Init event) – Page.ViewStateUserKey = Session.SessionID;
  • 17. • Attacker(Evil Bob) requests a page • Server salting ViewState hash using attacker’s username(Evil Bob) • Attacker tricks Normal user(Alice) to request server passing in his view state • Web server notices that Alice’s ViewStateUserKey(“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown