HeadlinesBriefing favicon HeadlinesBriefing.com

Decrypting Encrypted ASP.NET View State

Hacker News •
×

A security researcher details a method for decrypting encrypted ASP.NET view state messages, a common technique used in web application attacks. The process involves extracting automatically generated (autogen) keys from a compromised host's Windows registry or LSA secrets.

These autogen keys, 1024-byte blobs, contain master IIS validation and decryption keys. The article explains how these master keys are derived from the autogen keys by copying specific byte ranges. For the legacy crypto configuration, the first 64 bytes of the autogen key form the master validation key, and the next 24 bytes become the master decryption key.

The researcher notes that while tools like Cyber Chef and Blacklist3r exist, they can be cumbersome. This post aims to demystify the process of deriving usable decryption keys from autogen keys, covering both legacy and modern ASP.NET cryptographic configurations. The ultimate goal is to enable decryption of malicious view state data found in application logs, providing a path to understanding the attacker's actions.