Exploiting Deserialisation in ASP.NET via ViewState

Introduction ASP.NET web applications use ViewState in order to maintain a page state and persist data in a web form. The ViewState parameter is a base64 serialised parameter that is normally sent via a hidden parameter called __VIEWSTATE with a POST request. This parameter is deserialised on the server-side to retrieve the data. It is … Continue reading Exploiting Deserialisation in ASP.NET via ViewState