Skip to content

yuvadm/viewstate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

114 Commits
.github/workflows
.github/workflows
 
 
tests
tests
 
 
viewstate
viewstate
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.rst
README.rst
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

ASP.NET View State Decoder

A small Python library for decoding ASP.NET viewstate.

Viewstate is a method used in the ASP.NET framework to persist changes to a web form across postbacks. It is usually saved on a hidden form field:

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEP...">

Decoding the view state can be useful in penetration testing on ASP.NET applications, as well as revealing more information that can be used to efficiently scrape web pages.

https://img.shields.io/pypi/v/viewstate

Install

$ pip install viewstate

Usage

The Viewstate decoder accepts Base64 encoded .NET viewstate data and returns the decoded output in the form of plain Python objects.

There are two main ways to use this package. First, it can be used as an imported library with the following typical use case:

>>> from viewstate import ViewState
>>> base64_encoded_viewstate = '/wEPBQVhYmNkZQ9nAgE='
>>> vs = ViewState(base64_encoded_viewstate)
>>> vs.decode()
('abcde', (True, 1))

It is also possible to feed the raw bytes directly:

>>> vs = ViewState(raw=b'\xff\x01....')

Alternatively, the library can be used via command line by directly executing the module:

$ cat data.base64 | python -m viewstate

Which will pretty-print the decoded data structure.

The command line usage can also accept raw bytes with the -r flag:

$ cat data.base64 | base64 -d | python -m viewstate -r

Viewstate HMAC signatures are also supported. In case there are any remaining bytes after parsing, they are assumed to be HMAC signatures, with the types estimated according to signature length.

>>> vs = ViewState(signed_view_state)
>>> vs.decode()
>>> vs.mac
'hmac_sha256'
>>> vs.signature
b'....'

Development

Development packages can be installed with poetry. Unit tests, lints and code formatting tasks can be run with:

$ poetry install
$ poetry run pytest
$ poetry run ruff

For PyPI releases, run build and publish:

$ poetry build
$ poetry publish

Note that for uploading a new package version, a valid PyPI auth token should be configured.

References

Since there is no publically available specification of how .NET viewstate is encoded, reverse engineering was based on prior work:

Any official documents would be gladly accepted to help improve the parsing logic.

License

MIT

About

ASP.NET View State Decoder

Topics

python security dotnet scraping python3 web-security asp-net hacktoberfest viewstate

Resources

Readme

License

MIT license
Activity

Stars

102 stars

Watchers

5 watching

Forks

14 forks
Report repository

Releases 1

v0.6.0 Latest
May 20, 2024

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages