ASP.NET ViewState: Approach with Caution

You already know this, somewhere in the back of your mind your little inner voice keeps telling you that you shouldn’t be putting into ViewState anything that’s even remotely close to looking as if it could ever be sensitive.

Although ViewState provides some built in mechanisms to prevent tampering and hijacking (via Machine Authentication Check, know as MAC), and is very useful to developers, the thing to remember is that it is completely readable text, stored on the client’s browser, in the markup of the page.

What do you mean “completely readable”? I mean just that, it’s a base 64 encoded string that is easily decoded into human (or hacker software) readable. To see for yourself just download and use the ViewState Decoder, available from the awesome guys at PluralSite ( ).

It’s not uncommon to store custom items in ViewState, while this can be extremely useful it’s important to remember that this information will be packaged up into the Base 64 encoded string (ultimately ended up as the Value of a Hidden Field) and easily viewable to the world with little effort.

If you don’t need ViewState then turn it off. This is easily accomplished at the control and/or page level or globally via the Web.config file (a.k.a. ViewStateEnabled = “false”). To learn more about ViewState please visit pay special attention to the section about ViewStateMAC and Server.Transer, read the KB Article which explain in detail the security whole you open up when disabling the ViewStateMAC security feature (;EN-US;316920 )

An important thing to remember is that ViewState can grow to be extremely large, bloating the page size that must be downloaded to the end users computer both on the initial visit to the page and with each postback, resulting in slower site performance and heavier loads on the server and network.

Widely available, simple to use, hacker tools make it easy for you to become a victim, no effort required

Got BeEF? If you have no idea what I’m talking about, or think it’s a Wendy’s commercial, you are in for a big surprise. Go to and you will forever be changed.  Here is the description of what BeEF is, directly from the source:

“BeEF is a browser exploitation framework. This tool will demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers.”

Recently I saw BeEF in action, showing how it can be used with a Cross Site Scripting (XSS) attack to silently turn an unsuspecting user’s browser session into a Zombie that does the hackers bidding, all without the victim ever knowing anything.

Imagine someone getting you to commit crimes, steal for them, or whatever they wanted all while you thought you were doing something else, it was a serious eye-opener. There are lots of tutorials to show you how to use BeEF:

Now that I have your attention it’s time to start thinking about hacking and how to avoid becoming a victim. Learn about the tools available, the threats that are common, and what you can do to prevent them. Consider taking one of the many courses offered from the SANS Institute, believe me it will be worth it!

You Cannot Stop a Hacker

Securing your applications, network, and everything in between involves implementing staggered levels of security (known as a “Defense In Depth” strategy), each a small deterrent that when combined together create a defensive strategy that is quite frankly to much of a pain in the ass for the hacker, resulting in the hacker moving on to easier targets.

The keyword here is “deterrent”, if a hacker wants in they will eventually accomplish their goal, making it take a thousand years, as opposed to a thousandth of a second, is up to you. Visit the SANS Institute, learn what your up against, the threat is real and you will eventually become a victim.

Cloning a Virtual Machine

Most of us have heard of “Virtual Servers” even though we may not really know (or care) what that means.  If you do a search on Google or Bing (or whatever search engine you use) you will find lots of results, most of which reference VM Ware or Virtual PC.

With easy to use, and often free, tools you can create a “virtual” system of servers, work stations, or whatever you want. In this post we will talk specifically about how to clone an existing Virtual Machine so that you can create new VM’s with little effort. It is assumed that you have already installed VMWare Server and that you have also created a Virtual Machine that you wish to copy. In this example we have installed Windows Server 2003 R2 on a new VM, along with all the security updates, and we want to copy this to avoid having to go through the hours of pain it takes to get a new OS installed and ready to go.

If you have not done so already go to  and download VMWare Server. It’s important to note that this is the Free Server product they have. They offer a TON of other stuff, but VMWare Server is where you want to start. In addition if you do not have an MSDN account, or legal copies of an operating system that you want to install on your Virtual Machines, than you may qualify for one of the programs offered by Microsoft which will get you access to the software you need.

Need Legal OS Sorftware:

You’re a Web Developer? Get involved with Website Spark:

You own your own business and develop software as a service to your clients? BizSpark is what you want:

Are you a student and learning software development? DreamSpark is what you want:

Once you have the tools and the software then follow the steps to create a new Virtual Machine in VMWare. Install the OS and get all the updates installed. Once you are completely finished then follow these instructions to “clone” that Virtual Machine.

Follow these instructions


Step 1:

In the VMWare Console select the Virtual Machine you wish to clone. In the Commands section click the link that says “Power Off”.

Using Windows Explorer navigate to the location of your Virtual Machines (often referred to as the “Inventory Location”), in my case this was located on a Share Drive in a folder called Virtual Machines.

Locate the VM you wish to clone, copy the folder and all of its contents into a new folder. Make sure that this is also located within the same folder as your other VMs (a.k.a. it needs to be within the Inventory Location).

Step 2:

Open the VMWare console, on the right hand side under the section labeled Commands click the link that says “Add Virtual Machine to Inventory”

Expand the nodes under the inventory column until you find the folder of the copied VM, select the folder, and under the Contents section select the file that has the .vmx extension (you should only see this one file). Click OK.

Step 3:

Look back as the Inventory section of the console, you will notice that the copied VM appears in the list and has the same name as the original. Select the copied VM (the 2nd one in the list, newer appears below the older). From the right hand side of the console, under the Command section, select the link that says “Configure VM”

The VM Configuration window appears. Confirm that you have selected the correct VM by looking at the Working Directory; it should be the path to the copied files.

In the Virtual Machine Name textbox enter a new name, click the OK button.

Step 4:

If the new Virtual Machine is not running then, under the Commands section, click the link that says “Power On”

Select the tab labeled “Console”, click anywhere in the console window to open the command window in order to remote into the machine

We need to change the name of this new machine so that we don’t have duplicates on the network. Enter the same username and password that you used to access the original machine and log into the server. Using Windows Explore right click on “My Computer” and select Properties

Select the “Computer Name” tab, click on the button labeled “Change”, enter a new name for this computer and click the OK button. You will be prompted to restart the computer, click OK.

Step 5:

In the Inventory section of the console select the original Virtual Machine (the one you cloned), under the Commands section select the link that says “Power On”.

Select the Console tab and remote into the server, ensure that all is well.

Congratulations, you have successfully cloned your Virtual Machine