kala-tamin ASP.Net 1.1 Viewstate Security

ASP.Net 1.1 Viewstate Security

In ASP.Net 1.1 is it possible for the end user to change the viewdata before it's sent back to the server to for instance make it look like an item is selected in a dropdown that does not exist? I've tried manipulating the values in the dropdown using firebug but the server seems to ignore that, I'm presuming because the viewstate says that item does not exist, if however its possible to change the viewdata to achieve this then that could be more of a problem.

I'm asking because I've been asked to look over the security of one of our applications and if the above is possible there could be a big security gap.

Just to clarify I'm not asking how, I do not want to break someone elses software I just need to know if its something to be concerned about.

Hopefully this makes sense.


How to implement web services on an embedded device?


asp.net impersonation
Yes, View State can be hacked.

Mix two strings into one longer string PHP
In ASP.NET 2.0 a feature was introduced which allowed one to Encrypt the View State and thus prevent these types of attacks..
Web security, are there issues with hidden fields (no sensitive data)?
Hacking View State for Fun & Profit details how to hack the view state of an application..
Actively maintained PHP libraries for user authentication? [closed]

Determining a User's Group Membership using VBA

93 out of 100 based on 53 user ratings 453 reviews