SlideShare a Scribd company logo

Introduction to ASP.Net Viewstate

Download as PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

Introduction to ASP.Net Viewstate by Dhiraj Ranka @ null Mumbai Meet, November, 2010

Technology
1 of 18
Introduction to ASP.NET ViewState - By Dhiraj Ranka (NII Consulting)
HTTP Protocol • Stateless  • Uses cookies, sessions to maintain state • Where is ViewState in picture?
ASP.NET Page life cycle • verifying file access rights • resurrecting the user's session state (HTTP modules)
Page Life Cycle events
View State • persist state across post backs • store name and value pairs • “What sort of state needs to be persisted?” • in instantiation stage, control hierarchy is created • For example, <asp:Label runat="server" Font-Name="Verdana" Text="Hello, World!"></asp:Label>
The View State Property • Every control can stores its state • Example public string NavigateUrl { get { string text = (string) ViewState["NavigateUrl"]; if (text != null) return text; else return string.Empty; } set { ViewState["NavigateUrl"] = value; } } • whenever a control's property is read, the control's ViewState is consulted
Storing Information in the Page's ViewState Property • persist page-specific and user-specific information across postbacks • Code would look like – ViewState[keyName] = value • example - creating a pageable, sortable DataGrid • sort expression must be persisted across postbacks
The Cost of View State • Nothing comes for free, and view state is no exception • two performance hits for every request – In save view state control hierarchy is saved in base- 64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated – extra size to the Web page. Some times for view state- heavy pages can be tens of kilobytes 
Enabling/Disabling ViewState • At control level – <asp:Label EnableViewState=“false”…></asp:Label> • At individual page level – <%@Page EnableViewState="False" %> – Page.EnableViewState = false; • At site/application level (in web.config) – <pages enableViewState="true">
View State and Security Implications • Its nothing but base-64 encoded string • Attacker can easily decode it, manipulate and encode back before sending it
Prevention • Tamper proofing • Encryption • The ViewStateUserKey Property
Tamper Proofing • Use a machine authentication check, or MAC • It ensure that the data received by a computer is the same data that it transmitted • hashing the view state data and appending this hash to the end of the view state • When post back occurs it checks to ensure that the appended hash matches up with the hashed value • default hashing algorithm used is SHA1 (MD5)
Generic Error
Encryption • To encrypt the view state, set the <machineKey> element's validation attribute in the machine.config file to 3DES – Can be SHA1, MD5, AES • the <machineKey> element contains validationKey and decryptionKey attributes • validationKey attribute for MAC • decryptionKey attribute for 3DES • Default values are “AutoGenerate,IsolateApp”
Concerns with Encryption • Previous settings works fine with single web server • In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption • Use shared key among all web servers
The ViewStateUserKey Property • Must be assigned a string value in initialization stage(Page_Init event) • User-specific value as username, but can be guessable • Recommended value is SessionID • Code would look this (Page_Init event) – Page.ViewStateUserKey = Session.SessionID;
• Attacker(Evil Bob) requests a page • Server salting ViewState hash using attacker’s username(Evil Bob) • Attacker tricks Normal user(Alice) to request server passing in his view state • Web server notices that Alice’s ViewStateUserKey(“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown
Thank you

Recommended

AngularJS
AngularJSAngularJS
AngularJSHiten Pratap Singh
 
ASP.NET - Life cycle of asp
ASP.NET - Life cycle of aspASP.NET - Life cycle of asp
ASP.NET - Life cycle of asppriya Nithya
 
Node js Introduction
Node js IntroductionNode js Introduction
Node js Introductionsanskriti agarwal
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
Introduction to ReactJS
Introduction to ReactJSIntroduction to ReactJS
Introduction to ReactJSHoang Long
 
Angular
AngularAngular
AngularTejinderMakkar
 
Spring annotation
Spring annotationSpring annotation
Spring annotationRajiv Srivastava
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 

Recommended

AngularJS
AngularJSAngularJS
AngularJSHiten Pratap Singh
 
ASP.NET - Life cycle of asp
ASP.NET - Life cycle of aspASP.NET - Life cycle of asp
ASP.NET - Life cycle of asppriya Nithya
 
Node js Introduction
Node js IntroductionNode js Introduction
Node js Introductionsanskriti agarwal
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node jsAkshay Mathur
 
Introduction to ReactJS
Introduction to ReactJSIntroduction to ReactJS
Introduction to ReactJSHoang Long
 
Angular
AngularAngular
AngularTejinderMakkar
 
Spring annotation
Spring annotationSpring annotation
Spring annotationRajiv Srivastava
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
Asp.net caching
Asp.net cachingAsp.net caching
Asp.net cachingMindfire Solutions
 
Hibernate - Part 2
Hibernate - Part 2 Hibernate - Part 2
Hibernate - Part 2 Hitesh-Java
 
Asp.net and .Net Framework ppt presentation
Asp.net and .Net Framework ppt presentationAsp.net and .Net Framework ppt presentation
Asp.net and .Net Framework ppt presentationabhishek singh
 
Introduction to Spring Framework
Introduction to Spring FrameworkIntroduction to Spring Framework
Introduction to Spring FrameworkHùng Nguyễn Huy
 
Java Spring Framework
Java Spring FrameworkJava Spring Framework
Java Spring FrameworkMehul Jariwala
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for BeginnerApaichon Punopas
 
Asp.net
Asp.netAsp.net
Asp.netOpenSource Technologies Pvt. Ltd.
 
Introduction to Spring Framework
Introduction to Spring Framework Introduction to Spring Framework
Introduction to Spring Framework Serhat Can
 
An introduction to React.js
An introduction to React.jsAn introduction to React.js
An introduction to React.jsEmanuele DelBono
 
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarContinuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarPascal Larocque
 
Web services SOAP
Web services SOAPWeb services SOAP
Web services SOAPprinceirfancivil
 
Spring User Guide
Spring User GuideSpring User Guide
Spring User GuideMuthuselvam RS
 
Asp.net.
Asp.net.Asp.net.
Asp.net.Naveen Sihag
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsVikash Singh
 
Introduction to ASP.NET Core
Introduction to ASP.NET CoreIntroduction to ASP.NET Core
Introduction to ASP.NET CoreAvanade Nederland
 
Selenium web driver
Selenium web driverSelenium web driver
Selenium web driverSun Technlogies
 
Node.js Express Framework
Node.js Express FrameworkNode.js Express Framework
Node.js Express FrameworkTheCreativedev Blog
 
HTL(Sightly) - All you need to know
HTL(Sightly) - All you need to knowHTL(Sightly) - All you need to know
HTL(Sightly) - All you need to knowPrabhdeep Singh
 
Karate, the black belt of HTTP API testing?
Karate, the black belt of HTTP API testing?Karate, the black belt of HTTP API testing?
Karate, the black belt of HTTP API testing?Bertrand Delacretaz
 
Introduction to jest
Introduction to jestIntroduction to jest
Introduction to jestpksjce
 
Asp.net mvc
Asp.net mvcAsp.net mvc
Asp.net mvcNaga Harish M
 
ASP.NET MVC4 Overview
ASP.NET MVC4 OverviewASP.NET MVC4 Overview
ASP.NET MVC4 OverviewMahmoud Tolba
 

More Related Content

What's hot

Hibernate - Part 2
Hibernate - Part 2 Hibernate - Part 2
Hibernate - Part 2 Hitesh-Java
 
Asp.net and .Net Framework ppt presentation
Asp.net and .Net Framework ppt presentationAsp.net and .Net Framework ppt presentation
Asp.net and .Net Framework ppt presentationabhishek singh
 
Introduction to Spring Framework
Introduction to Spring FrameworkIntroduction to Spring Framework
Introduction to Spring FrameworkHùng Nguyễn Huy
 
Introduction to Spring Framework
Introduction to Spring Framework Introduction to Spring Framework
Introduction to Spring Framework Serhat Can
 
An introduction to React.js
An introduction to React.jsAn introduction to React.js
An introduction to React.jsEmanuele DelBono
 
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarContinuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarPascal Larocque
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.jsVikash Singh
 
Introduction to ASP.NET Core
Introduction to ASP.NET CoreIntroduction to ASP.NET Core
Introduction to ASP.NET CoreAvanade Nederland
 
HTL(Sightly) - All you need to know
HTL(Sightly) - All you need to knowHTL(Sightly) - All you need to know
HTL(Sightly) - All you need to knowPrabhdeep Singh
 
Karate, the black belt of HTTP API testing?
Karate, the black belt of HTTP API testing?Karate, the black belt of HTTP API testing?
Karate, the black belt of HTTP API testing?Bertrand Delacretaz
 
Introduction to jest
Introduction to jestIntroduction to jest
Introduction to jestpksjce
 

What's hot (20)

Asp.net caching
Asp.net cachingAsp.net caching
Asp.net caching
 
Hibernate - Part 2
Hibernate - Part 2 Hibernate - Part 2
Hibernate - Part 2
 
Asp.net and .Net Framework ppt presentation
Asp.net and .Net Framework ppt presentationAsp.net and .Net Framework ppt presentation
Asp.net and .Net Framework ppt presentation
 
Introduction to Spring Framework
Introduction to Spring FrameworkIntroduction to Spring Framework
Introduction to Spring Framework
 
Java Spring Framework
Java Spring FrameworkJava Spring Framework
Java Spring Framework
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for Beginner
 
Asp.net
Asp.netAsp.net
Asp.net
 
Introduction to Spring Framework
Introduction to Spring Framework Introduction to Spring Framework
Introduction to Spring Framework
 
An introduction to React.js
An introduction to React.jsAn introduction to React.js
An introduction to React.js
 
Continuous integration using Jenkins and Sonar
Continuous integration using Jenkins and SonarContinuous integration using Jenkins and Sonar
Continuous integration using Jenkins and Sonar
 
Web services SOAP
Web services SOAPWeb services SOAP
Web services SOAP
 
Spring User Guide
Spring User GuideSpring User Guide
Spring User Guide
 
Asp.net.
Asp.net.Asp.net.
Asp.net.
 
Introduction to Node.js
Introduction to Node.jsIntroduction to Node.js
Introduction to Node.js
 
Introduction to ASP.NET Core
Introduction to ASP.NET CoreIntroduction to ASP.NET Core
Introduction to ASP.NET Core
 
Selenium web driver
Selenium web driverSelenium web driver
Selenium web driver
 
Node.js Express Framework
Node.js Express FrameworkNode.js Express Framework
Node.js Express Framework
 
HTL(Sightly) - All you need to know
HTL(Sightly) - All you need to knowHTL(Sightly) - All you need to know
HTL(Sightly) - All you need to know
 
Karate, the black belt of HTTP API testing?
Karate, the black belt of HTTP API testing?Karate, the black belt of HTTP API testing?
Karate, the black belt of HTTP API testing?
 
Introduction to jest
Introduction to jestIntroduction to jest
Introduction to jest
 

Viewers also liked

ASP.NET MVC4 Overview
ASP.NET MVC4 OverviewASP.NET MVC4 Overview
ASP.NET MVC4 OverviewMahmoud Tolba
 
State Management In ASP.NET And ASP.NET MVC
State Management In ASP.NET And ASP.NET MVCState Management In ASP.NET And ASP.NET MVC
State Management In ASP.NET And ASP.NET MVCjinaldesailive
 
ASP.NET Page life cycle and ViewState
ASP.NET Page life cycle and ViewStateASP.NET Page life cycle and ViewState
ASP.NET Page life cycle and ViewStateMindfire Solutions
 
ASP.NET MVC Presentation
ASP.NET MVC PresentationASP.NET MVC Presentation
ASP.NET MVC Presentationivpol
 
MVC ppt presentation
MVC ppt presentationMVC ppt presentation
MVC ppt presentationBhavin Shah
 
Introduction to ASP.NET MVC
Introduction to ASP.NET MVCIntroduction to ASP.NET MVC
Introduction to ASP.NET MVCKhaled Musaied
 
ASP.NET MVC Presentation
ASP.NET MVC PresentationASP.NET MVC Presentation
ASP.NET MVC PresentationVolkan Uzun
 

Viewers also liked (9)

Asp.net mvc
Asp.net mvcAsp.net mvc
Asp.net mvc
 
ASP.NET MVC4 Overview
ASP.NET MVC4 OverviewASP.NET MVC4 Overview
ASP.NET MVC4 Overview
 
State Management In ASP.NET And ASP.NET MVC
State Management In ASP.NET And ASP.NET MVCState Management In ASP.NET And ASP.NET MVC
State Management In ASP.NET And ASP.NET MVC
 
ASP.NET Page life cycle and ViewState
ASP.NET Page life cycle and ViewStateASP.NET Page life cycle and ViewState
ASP.NET Page life cycle and ViewState
 
ASP.NET MVC Presentation
ASP.NET MVC PresentationASP.NET MVC Presentation
ASP.NET MVC Presentation
 
MVC ppt presentation
MVC ppt presentationMVC ppt presentation
MVC ppt presentation
 
Introduction to ASP.NET MVC
Introduction to ASP.NET MVCIntroduction to ASP.NET MVC
Introduction to ASP.NET MVC
 
Model View Controller (MVC)
Model View Controller (MVC)Model View Controller (MVC)
Model View Controller (MVC)
 
ASP.NET MVC Presentation
ASP.NET MVC PresentationASP.NET MVC Presentation
ASP.NET MVC Presentation
 

Similar to Introduction to ASP.Net Viewstate

State management in ASP.NET
State management in ASP.NETState management in ASP.NET
State management in ASP.NETOm Vikram Thapa
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive Smita Raut
 
State management 1
State management 1State management 1
State management 1singhadarsh
 
ASP.Net Presentation Part3
ASP.Net Presentation Part3ASP.Net Presentation Part3
ASP.Net Presentation Part3Neeraj Mathur
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Simple blog wall creation on Java
Simple blog wall creation on JavaSimple blog wall creation on Java
Simple blog wall creation on JavaMax Titov
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
Java EE 8 security and JSON binding API
Java EE 8 security and JSON binding APIJava EE 8 security and JSON binding API
Java EE 8 security and JSON binding APIAlex Theedom
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scalatakezoe
 
sakdjfhaksjfhaskjh
sakdjfhaksjfhaskjhsakdjfhaksjfhaskjh
sakdjfhaksjfhaskjhelodiaevie
 
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdfaskldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdfelodiaevie
 
salkdjfhdjkghdfkjh
salkdjfhdjkghdfkjhsalkdjfhdjkghdfkjh
salkdjfhdjkghdfkjhelodiaevie
 
aksdfhaskdjfhasdjkh
aksdfhaskdjfhasdjkhaksdfhaskdjfhasdjkh
aksdfhaskdjfhasdjkhelodiaevie
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 

Similar to Introduction to ASP.Net Viewstate (20)

State management in ASP.NET
State management in ASP.NETState management in ASP.NET
State management in ASP.NET
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
 
State management 1
State management 1State management 1
State management 1
 
ASP.Net Presentation Part3
ASP.Net Presentation Part3ASP.Net Presentation Part3
ASP.Net Presentation Part3
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Simple blog wall creation on Java
Simple blog wall creation on JavaSimple blog wall creation on Java
Simple blog wall creation on Java
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
Java EE 8 security and JSON binding API
Java EE 8 security and JSON binding APIJava EE 8 security and JSON binding API
Java EE 8 security and JSON binding API
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
GitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by ScalaGitBucket: The perfect Github clone by Scala
GitBucket: The perfect Github clone by Scala
 
awergaezrg
awergaezrgawergaezrg
awergaezrg
 
sakdjfhaksjfhaskjh
sakdjfhaksjfhaskjhsakdjfhaksjfhaskjh
sakdjfhaksjfhaskjh
 
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdfaskldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
askldjfhaskdfj aslkdjfhaskdfhasjk askldf ashkdf
 
sergaerwga
sergaerwgasergaerwga
sergaerwga
 
salkdjfhdjkghdfkjh
salkdjfhdjkghdfkjhsalkdjfhdjkghdfkjh
salkdjfhdjkghdfkjh
 
aergserga
aergsergaaergserga
aergserga
 
aksdfhaskdjfhasdjkh
aksdfhaskdjfhasdjkhaksdfhaskdjfhasdjkh
aksdfhaskdjfhasdjkh
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Introduction to ASP.Net Viewstate

  • 1. Introduction to ASP.NET ViewState - By Dhiraj Ranka (NII Consulting)
  • 2. HTTP Protocol • Stateless  • Uses cookies, sessions to maintain state • Where is ViewState in picture?
  • 3. ASP.NET Page life cycle • verifying file access rights • resurrecting the user's session state (HTTP modules)
  • 5. View State • persist state across post backs • store name and value pairs • “What sort of state needs to be persisted?” • in instantiation stage, control hierarchy is created • For example, <asp:Label runat="server" Font-Name="Verdana" Text="Hello, World!"></asp:Label>
  • 6. The View State Property • Every control can stores its state • Example public string NavigateUrl { get { string text = (string) ViewState["NavigateUrl"]; if (text != null) return text; else return string.Empty; } set { ViewState["NavigateUrl"] = value; } } • whenever a control's property is read, the control's ViewState is consulted
  • 7. Storing Information in the Page's ViewState Property • persist page-specific and user-specific information across postbacks • Code would look like – ViewState[keyName] = value • example - creating a pageable, sortable DataGrid • sort expression must be persisted across postbacks
  • 8. The Cost of View State • Nothing comes for free, and view state is no exception • two performance hits for every request – In save view state control hierarchy is saved in base- 64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated – extra size to the Web page. Some times for view state- heavy pages can be tens of kilobytes 
  • 9. Enabling/Disabling ViewState • At control level – <asp:Label EnableViewState=“false”…></asp:Label> • At individual page level – <%@Page EnableViewState="False" %> – Page.EnableViewState = false; • At site/application level (in web.config) – <pages enableViewState="true">
  • 10. View State and Security Implications • Its nothing but base-64 encoded string • Attacker can easily decode it, manipulate and encode back before sending it
  • 11. Prevention • Tamper proofing • Encryption • The ViewStateUserKey Property
  • 12. Tamper Proofing • Use a machine authentication check, or MAC • It ensure that the data received by a computer is the same data that it transmitted • hashing the view state data and appending this hash to the end of the view state • When post back occurs it checks to ensure that the appended hash matches up with the hashed value • default hashing algorithm used is SHA1 (MD5)
  • 14. Encryption • To encrypt the view state, set the <machineKey> element's validation attribute in the machine.config file to 3DES – Can be SHA1, MD5, AES • the <machineKey> element contains validationKey and decryptionKey attributes • validationKey attribute for MAC • decryptionKey attribute for 3DES • Default values are “AutoGenerate,IsolateApp”
  • 15. Concerns with Encryption • Previous settings works fine with single web server • In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption • Use shared key among all web servers
  • 16. The ViewStateUserKey Property • Must be assigned a string value in initialization stage(Page_Init event) • User-specific value as username, but can be guessable • Recommended value is SessionID • Code would look this (Page_Init event) – Page.ViewStateUserKey = Session.SessionID;
  • 17. • Attacker(Evil Bob) requests a page • Server salting ViewState hash using attacker’s username(Evil Bob) • Attacker tricks Normal user(Alice) to request server passing in his view state • Web server notices that Alice’s ViewStateUserKey(“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown