How to Decrypt ASP.NET View State Messages Using Auto-Generated Machine Keys from the Windows Registry
By
@zeroedtech
Summary
This article explains how to decrypt encrypted view state messages from compromised ASP.NET web applications. It covers the process of extracting automatically generated machine keys from the Windows registry, locating the web.config file from a disk image, and using those keys to decrypt view state data found in Windows application event logs (event ID 1316). The article provides a technical walkthrough for incident responders and security professionals dealing with malicious view state attacks where the keys were auto-generated rather than explicitly configured.
Source
Key quotes
· 3 pulledThey had found a 1316 event in their Windows application logs that contained a likely malicious view state.
After extracting the web.config file for the affected site, they found the compromised site had been configured with automatically generated keys.
They were able to dump the autogen keys from the Windows registry, however they didn't know how to use these to decrypt their view state.
You might also wanna read
CVE-2026-4387: StrongDM State File Reuse Vulnerability Allows Session Hijacking
A security vulnerability (CVE-2026-4387) was discovered in StrongDM where state files containing session authentication information could be
Critical Windows Netlogon RCE flaw now exploited in attacks
Election Security Vulnerabilities: A Reference Guide to U.S. Voting Machinery Risks
This article serves as a reference "cheat sheet" compiling informational resources about known vulnerabilities in American election machiner
Parsing ASP.NET Core Identity password hashes for Hashcat cracking on embedded Linux systems
This article discusses the discovery of ASP.NET Core Identity password hashes on an embedded Linux system, which is an unusual environment f
SQLSnoop Attack Exploits Database System Views to Intercept Plaintext Passwords Before Hashing
This article details a SQL injection attack technique called "SQLSnoop" that exploits database system views (Oracle's v$sql and PostgreSQL's
undercodetesting.com·25d agoNew FROST Technique Enables Browser-Based SSD Tracking of Website Visitors
A new browser-based tracking technique called FROST (Fingerprinting Remotely Using OPFS-based SSD Timing) allows websites to spy on visitors

Comments
Sign in to join the conversation.
No comments yet. Be the first.