Strings within version 2 of the ViewState are length-prepended, so

You can then reencode the modified structure as Base64, and submit the

new ViewState value to the application:

POST /order.aspx HTTP/1.1

Host: wahh-app.com

Content-Length: 87

__VIEWSTATE=%2FwEPDwUKMTIxNDIyOTM0Mg8WAh4FcHJpY2UFATFkZA%3d%3d&quantity=

1&cmdBuy=Buy%21

which enables you to purchase the product at a price of 1.

Unfortunately, however, hacking ASP.NET applications is not usually as

simple as this. There is an option within ASP.NET for the platform to include a

keyed hash within the ViewState structure. This option is often on by default

but can be explicitly activated by adding the following to the page declaration:

EnableViewStateMac=”true”

The 

EnableViewStateMac

ASP.NET applications, meaning that the ViewState parameter cannot be

 tampered with without breaking the hash. In the previous example, using this

option results in the following ViewState:

FF 01 0F 0F 05 0A 31 32 31 34 32 32 39 33 34 32 ; ÿ.....1214229342

0F 16 02 1E 05 70 72 69 63 65 05 07 31 32 32 34 ; .....price..1224

2E 39 35 64 64 C4 75 60 70 9F 10 8B 61 04 15 27 ; .95ddÄu`pŸ.‹a..’

A1 06 1E F0 35 16 F0 46 A8                      ; ¡..ð5.ðF¨

The additional data after the end of the serialized form data is the keyed hash

of the preceding structure. If you now try to modify the price parameter, you

cannot create a valid hash without knowing the secret key, which is stored on the

server. Changing the price alone returns the error message shown in Figure 5-3.