Introduction to ASP.Net Viewstate

Introduction to ASP.Net Viewstate

• 1.
  Introduction to ASP.NETViewState - By Dhiraj Ranka (NII Consulting)
• 2.
  HTTP Protocol • Stateless • Uses cookies, sessions to maintain state • Where is ViewState in picture?
• 3.
  ASP.NET Page lifecycle • verifying file access rights • resurrecting the user's session state (HTTP modules)
• 4.
  Page Life Cycleevents
• 5.
  View State • persiststate across post backs • store name and value pairs • “What sort of state needs to be persisted?” • in instantiation stage, control hierarchy is created • For example, <asp:Label runat="server" Font-Name="Verdana" Text="Hello, World!"></asp:Label>
• 6.
  The View StateProperty • Every control can stores its state • Example public string NavigateUrl { get { string text = (string) ViewState["NavigateUrl"]; if (text != null) return text; else return string.Empty; } set { ViewState["NavigateUrl"] = value; } } • whenever a control's property is read, the control's ViewState is consulted
• 7.
  Storing Information inthe Page's ViewState Property • persist page-specific and user-specific information across postbacks • Code would look like – ViewState[keyName] = value • example - creating a pageable, sortable DataGrid • sort expression must be persisted across postbacks
• 8.
  The Cost ofView State • Nothing comes for free, and view state is no exception • two performance hits for every request – In save view state control hierarchy is saved in base- 64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated – extra size to the Web page. Some times for view state- heavy pages can be tens of kilobytes 
• 9.
  Enabling/Disabling ViewState • Atcontrol level – <asp:Label EnableViewState=“false”…></asp:Label> • At individual page level – <%@Page EnableViewState="False" %> – Page.EnableViewState = false; • At site/application level (in web.config) – <pages enableViewState="true">
• 10.
  View State andSecurity Implications • Its nothing but base-64 encoded string • Attacker can easily decode it, manipulate and encode back before sending it
• 11.
  Prevention • Tamper proofing •Encryption • The ViewStateUserKey Property
• 12.
  Tamper Proofing • Usea machine authentication check, or MAC • It ensure that the data received by a computer is the same data that it transmitted • hashing the view state data and appending this hash to the end of the view state • When post back occurs it checks to ensure that the appended hash matches up with the hashed value • default hashing algorithm used is SHA1 (MD5)
• 13.
  Generic Error
• 14.
  Encryption • To encryptthe view state, set the <machineKey> element's validation attribute in the machine.config file to 3DES – Can be SHA1, MD5, AES • the <machineKey> element contains validationKey and decryptionKey attributes • validationKey attribute for MAC • decryptionKey attribute for 3DES • Default values are “AutoGenerate,IsolateApp”
• 15.
  Concerns with Encryption •Previous settings works fine with single web server • In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption • Use shared key among all web servers
• 16.
  The ViewStateUserKey Property •Must be assigned a string value in initialization stage(Page_Init event) • User-specific value as username, but can be guessable • Recommended value is SessionID • Code would look this (Page_Init event) – Page.ViewStateUserKey = Session.SessionID;
• 17.
  • Attacker(Evil Bob)requests a page • Server salting ViewState hash using attacker’s username(Evil Bob) • Attacker tricks Normal user(Alice) to request server passing in his view state • Web server notices that Alice’s ViewStateUserKey(“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown
• 18.
  Thank you