Clearing ASP.NET Viewstate with Javascript and Cookies

Posted 2/2/2011 9:30:48 PM

First post in a while, I know. I wanted to share an e-mail I sent to a professor regarding a discussion I had in class about the ASP.NET viewstate. We were discussing editing the viewstate and I wanted to know if he wanted us to do an assignment from the server-side or client-side. After publically humiliating me, the professor offered me 60% extra credit if I could do it on the client side. Well, I kind of came up with a method using Javascript, Jquery, Cookies, and a little bit of experimentation. I will simply paste the e-mail I sent him. Let me know if you have any questions:
I have come up with a solution (of sorts, as you will see) to the problem of manipulating the viewstate with client side code to achieve the effect of negating the changes the viewstate saves. Now, I do not expect this to be the code you were expecting, as you are correct, MAC prevents manipulation of the viewstate string without raising an exception server side. I did, however, still find a way to completely wipe out the viewstate and not raise an exception. Let me first explain my methodology:

1. First, we need to ensure that the viewstate is always the same as the first page load, that is, that it contains only the data from a non-posted back page. To do this, we need to collect the viewstate and somehow always use that string. At first I attempted to use a hard coded viewstate that I had collected manually, but this concerned me because my viewstate would be encoded using the Machine Key of my instance of the ASP.NET development server, and wouldn’t be portable. To combat this, I looked into cookies.
2. Basically, I gather the viewstate and the eventvalidation hidden input fields (they seem to be tied together) and place them into a cookie. For each subsequent form submit, I replace whatever the viewstate and eventvalidation is at the time with what their values are in the cookies. This negates the effects of Enabling the viewstate on the left side listbox, and because the cookie viewstate is a previously valid one, it passes MAC validation it does not raise any errors on the server.
3. Now, I wanted to take a look at this from a malicious standpoint, so I looked at it from an attack perspective similar to what happened in Tunisia ( where they planted malicious javascript into web requests for the purpose of submitting data to another server. Because I wanted this to be a simple attack, I used the jQuery library to practice “Unobtrusive Javascript” and bind the manipulation function to the button’s click event handler dynamically. This means I only have to drop the code block into the head of the page, and I don’t have to go parsing html to find the location of the Submit button.
4. Without further ado, the code (place in the head and post the page):

<script src="" type="text/javascript" language="javascript"></script>
<script type="text/javascript" language="javascript">

// Anti-View State javascript code
// Here's the methedology: The first time the page is loaded, it will be loaded with an empty viewstate that passes
// MAC checks. This view state needs to be the view state to always use, so it has to persist from session to session
// In order to accomplish this, we save it to a cookie. If the cookie already exists, we use the data in it. If not, assume
// that this is the first request and store the current viewstate and eventvalidation into the cookie and then use that data.
// This has the effect of negating viewstate as the page gets posted.

//Add the event handler to the submit button:
$(document).ready(function() {
$('#Submit1').click(function() { manipulate(); });

function manipulate() {
document.getElementById('__VIEWSTATE').value = getCookie("viewstate");
document.getElementById('__EVENTVALIDATION').value = getCookie("eventvalidation");

function setCookie(c_name, value, exdays) {
var exdate = new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value = escape(value) + ((exdays == null) ? "" : "; expires=" + exdate.toUTCString());
document.cookie = c_name + "=" + c_value;

function getCookie(c_name) {
var i, x, y, ARRcookies = document.cookie.split(";");
for (i = 0; i < ARRcookies.length; i++) {
x = ARRcookies[i].substr(0, ARRcookies[i].indexOf("="));
y = ARRcookies[i].substr(ARRcookies[i].indexOf("=") + 1);
x = x.replace(/^\s+|\s+$/g, "");
if (x == c_name) {
return unescape(y);

function setupCookie() {
var viewstate=getCookie("viewstate");
if (!viewstate) {
setCookie("viewstate", document.getElementById('__VIEWSTATE').value, 1);
var eventvalidation = getCookie("eventvalidation");
if (!eventvalidation){
setCookie("eventvalidation", document.getElementById('__EVENTVALIDATION').value, 1);
There you have it, a basic way to manipulate the viewstate using javascript, cookies, and a little bit of trickery.


Comments for "Clearing ASP.NET Viewstate with Javascript and Cookies"

There are no comments

Leave a Reply

Note: You may leave any field blank if you choose to do so

Your Name:

E-Mail (will not be published):