Skip to content

defensahacker/viewstate-decoder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits

README.md

README.md

 
 

colors.py

colors.py

 
 

decoder.py

decoder.py

 
 

exceptions.py

exceptions.py

 
 

parse.py

parse.py

 
 

usage.png

usage.png

 
 

viewstate.py

viewstate.py

 
 

Repository files navigation

INTRO

VIEWSTATE module and decoder was copied from https://github.com/yuvadm/viewstate.git and all kudos go to yuvadm.

I just wrote a small tool to easily decode ASP.NET __VIEWSTATE variables without having to install the viewstate module into the system with administrative privileges and be able to decode the variables with a small script using a terminal, without writting python code.

Sometimes when doing webpentesting against a ASP web application is useful a tool like this.

USAGE

$ ./decoder.py "/wEPDwUKMTU5MTA2ODYwOWRkoCvvBWgUOH7PD446qvEOF6GTCq0="
** ASP.NET __VIEWSTATE decoder **

[*] Decoding __VIEWSTATE:
/wEPDwUKMTU5MTA2ODYwOWRkoCvvBWgUOH7PD446qvEOF6GTCq0=
(('1591068609', None), None)

DEFENSE

To protect against this attacks turn EnableViewStateMac property to True in the machine.config file. To encrypt turn property validation to 3DES.

DISCLAIMER

Use at your own risk in an environment that you are allowed to attack.

~ (c) defensahacker

About

Small tool to decode ASP.NET __VIEWSTATE variable when doing webpentests

pentestwiki.org/appsec/small-tool-to-decode-asp-net-viewstate/

Topics

asp pentesting bugbounty ethical-hacking webpentest

Resources

Readme
Activity

Stars

8 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages