How to Generate Encrypted ViewState without MAC Validation
meme-lord opened this issue · comments
I was reading https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/ by @irsdl and he mentions:
Prior to the .NET Framework version 4.5, the __VIEWSTATE parameter could be encrypted whilst the MAC validation feature was disabled.
I want be able to generate a Viewstate with ysoserial that is encrypted but doesnt have MAC validation but it seems like the Viewstate plugin requires validationKey as a parameter.
Figured it out need the --legacy
flag