vendredi 25 septembre 2009

Asp.Net : __VIEWSTATE Bug !

When you Try this on Asp.net 2.0 WebSite:

http://www.YouWebsite/default.aspx?__VIEWSTATE=COUCOU!

You will have something like that:



How can we exploit it ? and what we have to do, to resolve this Bug?!

Any Suggestions Are Welcome.


08/01/2010

I found the Solution: Remove "__VIEWSTATE" parameter From "Request.QueryString"

protected override void OnInitComplete(EventArgs e)
{
base.OnInitComplete(e);

if (Request.QueryString.ToString().Contains("__VIEWSTATE"))
{

// reflect to readonly property
PropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);

// make collection editable
isreadonly.SetValue(this.Request.QueryString, false, null);

// remove
this.Request.QueryString.Remove("__VIEWSTATE");


// make collection readonly again
isreadonly.SetValue(this.Request.QueryString, true, null);

}

}

Aucun commentaire:

Enregistrer un commentaire

Rechercher dans ce blog