1

I need to perform a security scan of an asp.net website hosted on IIS.

For that purpose the security scanner needs to be able to perform an automated login during its scan.

For some reason this third party application is unable to take the viewstate from login page get request and use that in the following post request.

This means it can only do a post request with a hardcoded value, however that won't work as the viewstate can then not be validated.

If I try to just do the post request without any viewstate my code is never activated and my guess is the IIS is completely blocking post requests with empty or no viewstate.

Is there any way around this so I can get my single login page to accept post requests with no viewstate or other way around this problem?

LarsHJ
  • 205
  • 1
  • 11
  • What is the security scanner? – nmat May 31 '13 at 10:13
  • @nmat http://www.acunetix.com/ – LarsHJ May 31 '13 at 10:17
  • Is this viewstate too big ? maybe if you reduce it, compress it, and split it can be better for your site in general. This is look anyway like scan issue - meaning that the company that make the scan must fix it, not necessary you. – Aristos May 31 '13 at 10:28
  • @Aristos I agree, acunetix should fix this, but a representative has told me they will not, hence why I am trying to find a way around this. – LarsHJ May 31 '13 at 11:04
  • @LarsHJ This is the way around. Reduce the viewstate, compress it and split it. Here is a relative answer (and see also the rest links inside it): http://stackoverflow.com/questions/12086120/how-i-can-deactivate-viewstate-without-control-problems/12086277#12086277 – Aristos May 31 '13 at 12:09
  • @Aristos reducing, compressing, splitting changes nothing. The security scanner can not find and record the viewstate and send it back. I need to find a way to get IIS to accept a post request with no viewstate. – LarsHJ May 31 '13 at 12:45
  • @LarsHJ You can simple turn the viewstate off on the page that you need to check and if they work all is good. – Aristos May 31 '13 at 12:51
  • @Aristos I tried setting EnableViewState = false but that didn't change anything is there was still a small viewstate present. See http://stackoverflow.com/questions/283082/why-does-viewstate-hidden-field-gets-rendered-even-when-i-have-the-enableviews. I even tried the solution at http://stackoverflow.com/questions/2432972/completely-remove-viewstate-for-specific-pages/5864040#5864040 which resulted in the get request having an empty viewstate, but when posting back the request never hits my code and again I presume IIS is blocking it somehow. – LarsHJ May 31 '13 at 13:17
  • I don't know if you're required to use that software, but I've used the free OWASP ZAP scanner successfully with asp.net. https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project – Jason P May 31 '13 at 14:07

0 Answers0