Can the __VIEWSTATE and __EVENTVALIDATION be use for research in order to breach a web app?

I'm learning ASP.NET now and I am a bit confused by the __VIEWSTATE and __EVENTVALIDATION.

1. Would it be possible to read the value those two items to learn about the internals of the app and possibly manipulate it. For eg. people write that the __VIEWSTATE contains information about the properties of elements that are not sent back through the POSTBACK, l开发者_运维问答ike a label for example. Wouldn't it be possible then to manipulate the value of labels in an app to make it display wrong information?

2. Would it be possible to change the value of __VIEWSTATE with a much larger value so that when it is posted back to the server it adds serious overhead to decompressing and/or decripting the information and thus basically making a DDOS?

1. Yes it is possible to read the values of the viewstate. It is base64 encoded which does not mean it is encrypted so to read its values all you need to do is convert it from base64 to UTF-8 and you will be able to read its contents. Try it out here for yourself Each control is listed and several of their properties. In regards to manipulating the contents, this is possible but difficult as the contents are validated before being processed on the server end.

2. Yes its possible, if your site is targeted for an attack and a huge number of large requests were sent with large viewstates then it will have a corresponding effect on the server.

Take a look at the following:

• Denial of service attacks
• Viewstate info
• Truly understanding viewstate

1. Yes, if you don't encrypt it using a machine key. Read this: Malicious use of view state
2. Encryption and ViewState MAC helps here. Read this: Protecting Your Site from DDoS Attacks

1. Yes, however it would only display incorrectly for that client. When it becomes dangerous is when you read this values to perform your business logic. Generally for web apps never trust information from the client. The value the viewstate is hashed to attempt to detect modification with the default settings of ASP.NET but can still be manipulated by someone with enough desire.

2. Yes, it is just a field on the form that you receive from the client. Thus it can be manipulated.