Thursday, 3 June 2010

O2 Script: ViewState Decoder for .NET 2.0

I just published to the O2 Platform Wiki a good example of O2's powerful scripting capabilities (including the ability that I have (using O2's MediaWiki editor tool) to quickly create technical articles containing tons of screenshots)

The tool is a ViewState decoder for .Net 2.0 and the article is here: http://o2platform.com/wiki/DotNet/ViewState_Decoder_ASP.NET_2.0

Here are the features of this tool:

* Enter any url or browse to any website, and the list of all values present in the ViewState will be shown on the right (note that the refresh is fired on the browser's OnLoad event (which means that you will get multiple views for urls that load more that one page))
* The list of url's is cached in the ComboBox used to enter the url to load (top left)
* There are two view modes
* the simple mode (by default) which presents a TextBox with all values found in the ViewState
* the 'Show all Details' mode (tick the checkbox) which shows: a TreeView of the ViewState, the ViewState Xml, the ViewState values (same as simple mode) and the same info (TreeView, Xml and Values) for the ControlState values
* All relevant code required to create this tool is being dynamically compiled on the fly (note how the source code included at the end of the post is quite small, and the couple supporting classes (included as File references) are also not that big)
* I wrote this entire tool in couple hours today (using O2's scripting environment). Here was my workflow:
* had the need to decode HacmeBank's viewstate
* found a good code sample of the decoding process (which I got from PluralSight's ViewState Decode example)
* created and tweaked the Tool's GUI
* created a couple supporting 'DotNet ViewState' APIs
* consumed the APIs from the GUI
* created the documentation WikiPage

For me, the power of the O2 Platform, lies not in the fact that I can build tools like this, but the fact that I can do it in a couple hours.

Of course, that now that I have an API for DotNet's ViewState, I will be able to perform much complex vulnerability analysis workflows (for example find data leakage or authorisation issues by analysing the ViewState collected from multiple user's sessions)