View state is one of the client side state mechanism. While developing web applications we use view state to maintain state. View state data stores at client side in hidden field. If data stored at client side then it can be hacked easily .
If we look at view state which is available in hidden field it will be in encrypted format, which is nothing but a Base64 encoded string.
<div class="aspNetHidden"> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY1NDU2MTA1MmRk" /> </div>
The above string can be encrypted easily. There are many tools which will encrypt the above string.
ex:Fridz Onion's ViewState Decoder, Fiddler etc...
Then how to make the view state secure?
You can make sure that the ViewState information is tamper-proof by using “hash codes”. You can do this by adding
EnableViewStateMAC=true in your page directive. MAC stands for “Message Authentication Code”.
<%@ Page Title="Home Page" Language="C#" MasterPageFile="~/Site.master" AutoEventWireup="true"
CodeBehind="Default.aspx.cs" Inherits="AspnetSamples._Default" EnableViewStateMac="true" %>
When we use
EnableViewStateMac="True", during ViewState save, ASP.NET internally uses a hash code. This hash code is a cryptographically strong checksum. This is added with the ViewState content and stored in a hidden filed. During postback, the check-sum data is verified again by ASP.NET. If there is a mismatch, the postback will be rejected.
You can see the view state which is encrypted and tamper proof ,
<div class="aspNetHidden"> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY1NDU2MTA1MmRkUkrfk7WraO3oDkbzEdzP7B3oVWpynylAgMi0Xne7Pjg=" /> </div>
Conclusion: In asp.net viewstate security is maintained by using EnableViewStateMAC=true property
No comments:
Post a Comment