By: Patrick Toomey
So, I was reading the usual blogs and came across a post by Mike Tracy from Matasano (Matasano has been having some technical difficulties…this link should work once they have recovered). In the blog post Mike talks about the development of a ViewState serializer/deserializer for his WWMD web application security assessment console (please see Mike’s original post for more details). Mike noted that the tools for viewing/manipulating ViewState from an application testing perspective are pretty weak, and I can’t agree more. There are a number of ViewState tools floating around that do a tolerable job of taking in a Base64 encoded ViewState string and presenting the user with a static view of the deserialized object. However, no tools up until this point, save for Mike’s new implementation, have allowed a user to change the values within the deserialized object and then reserialize them into a new Base64 string. Mike’s tool does exactly this, and is immensely useful for web application testing. The only downside to Mike’s tools is that it is built for his workflow and not mine (how can I fault the man for that). So, I decided to build an equivalent that works well for me (and hopefully for you as well).
I tend to have a web proxy of some sort running on my machine throughout the day. There are tons of them out there and everyone seems to have their personal favorite. There is Paros, WebScarab, BurpSuite, and I am sure many others. In the last few months I have been using a newer entrant into the category, Fiddler. Fiddler is a great web proxy whose only big drawback is that it is Windows only. However, at least for me, the upsides to Fiddler tend to outweigh the negatives. Fiddler has a fairly refined workflow (don’t get me started on WebScarab), is stable (don’t get me started on Paros), and is pretty extensible. There are a number of ways to extend Fiddler, most trivially using their own FiddlerScript hooks. In addition, there is a public API for extending the application using .NET. Fiddler has a number of interfaces that can be extended to allow for inspecting and manipulating requests or responses. Please see the Fiddler site for more details on extending Fiddler using either FiddlerScript or .NET. In particular, take a look at the development section to get a better feel for the facilities provided by Fiddler for extending the application.
Anyway, I had been thinking about writing a ViewState serializer/deserializer for Fiddler for the past month or two when I saw Mike’s blog post. I decided that it was about time to set aside a little time and write some code. I was lucky that Fiddler uses .NET, as I was able to leverage all of the system assemblies that Mike had to decompile in Reflector. After a bit of coding I ended up with my ViewStateViewer Fiddler inspector. Let’s take a quick tour…
ViewStateViewer seamlessly integrates into the Fiddler workflow, allowing a user to manipulate ViewState just as they would any other variable in a HTTP request. An extremely common scenario for testing involves submitting a request in the browser, trapping the request in a proxy, changing a variable’s value, and forwarding the request on to the server. ViewStateViewer tries to integrate into this workflow as seamlessly as possible. Upon trapping a request that contains ViewState, ViewStateViewer extract the Base64 encoded ViewState, Base64 decodes it, deserializes the ViewState, and allows a user to manipulate the ViewState as they would any other variable sent to the server. Let’s take a look at some screenshots to get a better idea of how this works.
By Default, Fiddler lets a user trap requests and view/edit a POST body before submitting the request to the server. In this case, the POST body contains serialized ViewState that we would like to work with. Without ViewStateViewer this is non-trivial, as Fiddler only shows us the Base64 encoded serialization.
ViewStateViewer adds a new “ViewState” tab within Fiddler that dynamically identifies and deserializes ViewState on the fly. The top half of the inspector shows the original Base64 serialized ViewState string. The bottom half of the inspector shows an XML representation of the deserialized ViewState. In between these two views the user can see if the ViewState is MAC protected and the version of the ViewState being deserialized. In this case we can see that this is .NET 2.X ViewState and that MAC protection is not enabled.
Once the ViewState is deserialized we can manipulate the ViewState by changing the values in the XML representation. In this example we changed one of the string values to “foobar”, as can be seen in the figure above. Once we change the value we can reserialize the ViewState using the “encode” button. The reserialized Base64 encoded ViewState string can be seen in the top half of the ViewStateViewer window. Once we have “encoded” the ViewState with our modifications, ViewStateViewer automatically updates the POST body with the new serialized ViewState string. This request can now be “Run to Completion”, which lets Fiddler submit the updated request to the server.
It should be noted that if the original ViewState had used MAC protection ViewStateViewer would not be able to reserialize the manipulated ViewState with a valid MAC. While ViewStateViewer will not prevent you from deserializing, manipulating, and reserializing MAC protected ViewState, it will not be able to append a valid MAC to modified ViewState. ViewStateViewer will warn us that “Modified ViewState does not contain a valid MAC”. Modified requests made using reserialized MAC protected ViewState will ultimately fail, as we don’t know the machine key used to produce a valid MAC. Regardless, sometimes simply being able to view what is being stored in MAC protected ViewState can be useful during an application assessment.
In addition to MAC protection, ViewState can be optionally protected using encryption. Encryption will prevent any attempt by ViewStateViewer to deserialize the ViewState. If encryption is detected ViewStateViewer will simply show the user the original Base64 ViewState string. However, as any application security consultant can attest, there are many applications that do not encrypt or MAC protect their ViewState. ViewStateViewer is aimed squarely at these use cases.
Finally, ViewStateViewer was written entirely with deserializing/serializing ViewState 2.X in mind. While ViewState 1.X is supported, the support at this time is limited, though completely functional. ViewState 1.X, unlike ViewState 2.X, Base64 decodes into a completely human readable ASCII based serialization format (think JSON). As such, ViewStateViewer simply Base64 decodes ViewState 1.X and displays the result to the user. The user is then free to make any changes they wish to the decoded ViewState. This works exactly the same as the example shown above, except that the decoded ViewState object will not be a nicely formatted XML document. I might get around to adding true ViewState 1.X support, but the benefits would be purely cosmetic, as the current implementation has no functional limitations.
ViewState is one of those areas that tends to be under-tested during application assessments, as there have been no good tools for efficiently evaluating the effects of modifying ViewState. Hopefully the release of ViewStateViewer will make evaluation of ViewState a more common practice. If you want to give ViewStateViewer a try you can download the Fiddler plugin(with source) here. Simply copy ViewStateViewer.dll into your “Inspectors” folder within your Fiddler install directory. It should be noted that this inspector is for Fiddler2, so please update your copy of Fiddler if you are out of date. Finally, this is very much a work in progress. As I found out during development, there is ton of ViewState out there that is either non-trivial to deserialize/reserialize or is impossible to deserialize/reserialize (non-standard objects being serialized for example). Maybe I’ll do another blog post detailing some of these difficult/impossible to handle edge cases in a subsequent post. So, while I have done some limited testing, I am sure there are some bugs that will crop up. If you happen to find one please don’t hesitate to contact me.