View Full Version : ASP .NET - POST request method

5th October 2011, 16:26
Hi everybody,
I need help with creating correct POST request to website working with ASP .NET.
May begin that my request was contructed by using sniffer results.
Here it is:

request.setHeader(QNetworkRequest::ContentTypeHead er, "application/x-www-form-urlencoded; charset=UTF-8");

postData.addQueryItem("ctl00$ScriptManager1", "ctl00$MainContent$btnDecrypt");
postData.addQueryItem("ctl00$MainContent$txtHashes", "f41b59b297ded4f90ba61ee3c5ff18220ae55c66");
postData.addQueryItem("ctl00$MainContent$txtCaptcha", sCaptcha);
//postData.addQueryItem("__EVENTTARGET", "ctl00$MainContent$btnDecrypt");
//postData.addQueryItem("__VIEWSTATE", sViewState);
postData.addQueryItem("__EVENTVALIDATION", sEventValidation);
postData.addQueryItem("__ASYNCPOST", "true");

Unfortunately, I don't receive satisfying outcome. Also, can't understand why in case of sending __EVENTTARGET or __VIEWSTATE, getting this kind of error:

1|#||4|52|pageRedirect||%2ferror.aspx%3faspxerrorp ath%3d%2fsha1-decrypt.aspx|

I can add that my app in the first place, download __VIEWSTATE and __EVENTVALIDATION after connection to website.
Where can be a problem, and why it happen so as above.

Thanks in advance,

5th October 2011, 17:32
ViewState is microsoft proprietary infrastructure to manage state in http. It is Base64 encoded, and uses hashes to identify events on client side. Whatever, be the case, it is not documented because it wasn't meant to be by Microsoft. I don't think you can use this forum for help in reverse engineering it.
Also, they can and will change it as and when they want. Your code, even after doing RE can die tomorrow. If you happen to have the code for server side, modify the code to use only the http controls if you must. Hacking viewstate is not a good idea in my opinion.

6th October 2011, 16:02
So, is there any possibility to send good working request to this page without ViewState? Every time i get all page source without result of current action (decrypt hash). I still don't understand why this code doesn't work correct.
Thanks in advance.

6th October 2011, 23:52
Are you the one requesting the page and sending the postback? Or are you trying to sniff poor Bob's page and send postback, or tricking poor Bob to make a request passing in your viewstate. In both cases it won't work. There is a ViewStateUserKey exactly to discourage this and used to salt the hash.
If you do have asp.net you can explicitly set viewstate off for each control. There is no way that as a client you can request a viewstate less page.
Moreover Trok, This is not the right forum for a asp.net question.