Viewstalker: Automating the discovery and exploitation of vulnerable ASP.NET Viewstates

August 21st, 2022

Viewstates are widely used in ASP.NET applications. Viewstates are serialized objects containing arbitrary data for use in a variety of functions in these applications. Deserialization on the backend occurs after the integrity of the viewstate has been verified. Both deserialization and serialization are handled by System.Web.UI.LosFormatter, which does not (and cannot) perform deserialization in a secure manner. As a result, attackers can trivally achieve remote code execution on a vulnerable target by supplying a malicious gadget chain, like those generated by ysoserial.net. Despite the relative ease of exploitation, this vulnerability persists in the wild, much to my dismay. To address this, I am providing the community with ViewStalker, which can be used to identify and exploit vulnerable applications.At the moment the utility is in a sort of MVP state and provides some basic (and buggy) functionality. You can grab the code here and try it yourself.