ASP.Net is a web-application development framework that provides for both user interfaces, and back-end functionality. The ASP.Net view state is typically stored in a hidden field named "__VIEWSTATE". When a page's view state is not cryptographically signed, many standard .Net controls are vulnerable to Cross-Site Scripting (XSS) through the view state.
It is well documented that using an unsigned view state is "bad", but most previous advisories focus on vaguely described threats or vulnerabilities introduced by custom use of the view state. To the best of Trustwave's knowledge, this is the first time a proof of concept attack of this nature has been demonstrated against the view state. A vulnerability was alluded to in a 2004 Microsoft article on troubleshooting view state problems [1]. However, other Microsoft documents recommend disabling view state signing "if performance is a key consideration," [2, 3, 4] or for various other reasons
[5, 6]. Realistically, unsigned view states should never be used in a production environment.Read more: Hacking-Lab.com
It is well documented that using an unsigned view state is "bad", but most previous advisories focus on vaguely described threats or vulnerabilities introduced by custom use of the view state. To the best of Trustwave's knowledge, this is the first time a proof of concept attack of this nature has been demonstrated against the view state. A vulnerability was alluded to in a 2004 Microsoft article on troubleshooting view state problems [1]. However, other Microsoft documents recommend disabling view state signing "if performance is a key consideration," [2, 3, 4] or for various other reasons
[5, 6]. Realistically, unsigned view states should never be used in a production environment.Read more: Hacking-Lab.com