ASP.NET ViewState Deserialization Attack Chain
In this lab, you’ll practice deserialization attacks against ASP.Net ViewState. When you’re finished, you’ll be able to remotely execute code against a vulnerable ASP.NET web service, retrieving information from the server.
Terms and conditions apply.
Challenge
Getting Started in the Lab Environment
Here are the initial instructions and explanation of the lab environment. Read this while your environment is busy creating itself from nothing. Yes, this violates physics; we know. How fun!
Challenge
Getting Keys from web.config
You'll verify a website uses ViewState and use a Local File Inclusion vulnerability to retrieve the contents of the web.config file. This contains configuration information that will allow you to create your own valid ViewState.
Challenge
Generating and Sending ViewState
You'll use the configuration you've found to create your own ViewState. That will contain a PowerShell command to call back to your lab computer. Sending a web request with your ViewState will run that command, demonstrating remote code execution
Challenge
The Last Challenge
Welcome to the final challenge! This is your last chance to experiment in the environment. Clicking Finish Lab will end this little world that flittered into existence just for you.
Provided environment for hands-on practice
We will provide the credentials and environment necessary for you to practice right within your browser.
Guided walkthrough
Follow along with the author’s guided walkthrough and build something new in your provided environment!
Did you know?
On average, you retain 75% more of your learning if you get time for practice.
Recommended prerequisites
- An understanding of serialization
- An understanding of Local File Inclusion (LFI)
- Be familiar with using Burp Suite to intercept, edit and replay web requests