viewstateってなんですか その後ろにくっつく文字列は一意の名前なら何でもいいんですか

⏪ ICYMI: Mandiant identified exploitation of a critical vulnerability in KnowledgeDeliver, a learning management system commonly used in Japan. The vulnerability allows for unauthenticated remote code execution via ViewState deserialization. Details: goo.gle/444QSjW

CVE-2026-5426 zero-day in KnowledgeDeliver LMS exploited via hardcoded ASP.NET machine keys for ViewState deserialization attacks. Mandiant confirms Godzilla web shell deployment and Cobalt Strike beacons. #DFIR_Radar

学習管理システム(LMS)のKnowledgeDeliverにおけるゼロデイ脆弱性CVE-2026-5426が悪用され、Godzillaウェブシェルが設置されている。マシンキーを抜いてのViewStateデシリアライゼーション攻撃。 bleepingcomputer.com/news/se…

日本で広く利用されている学習管理システムKnowledgeDeliverのゼロデイCVE-2026-5426が実環境で悪用されていたと、Mandiantが報告しています。開発元が提供していた導入時の標準設定ファイルに、ページ状態の暗号化・署名に使うASP[.]NETの鍵(machineKey)がハードコードされており、攻撃者は1つのインスタンスから鍵を入手すれば、同じ鍵が変更されていない他のインスタンスにも認証なしで任意コード実行が成立する状態だったとのこと。 侵入後はLMSのJavaScriptが改ざんされ、偽のセキュリティ警告で「セキュリティ認証プラグイン」のインストールを促す画面が利用者に表示されていました。 偽プラグインを実行した端末には侵入後の遠隔操作に使われるCobalt StrikeのBEACONが投入され、暗号鍵に被害組織の名称が使われていたことから、標的ごとにペイロードが事前準備されていたと報告されています。 【要点の整理】 ・2026年2月24日より前に導入されたKnowledgeDeliverのweb[.]configには、ベンダー提供の標準設定として複数の顧客環境で同一のmachineKeyがハードコードされていた。machineKeyはASP[.]NETがViewState(ページの状態をリクエスト間で保持する仕組み)の暗号化と署名に使う鍵で、これを知る攻撃者は悪意あるオブジェクトをViewStateに埋め込み、サーバーに復元処理(デシリアライゼーション)させることでリモートコード実行に至る。SitecoreやMicrosoftが報告した過去のViewState攻撃と同じ手法 ・展開されたのはBLUEBEAM(別名Godzilla)と呼ばれる[.]NET製のWebシェル。IISのワーカープロセスw3wp[.]exe内のメモリで動作し、ファイルベースの検知だけでは捕捉が困難。指令や追加ペイロードはHTTP POSTの本文に暗号化したデータを乗せて送受信される ・攻撃者はアクセス権変更コマンドicaclsでWebアプリケーションディレクトリに「Everyone」のフルアクセス権を付与したうえでJavaScriptファイルを改ざん。偽の「セキュリティ認証プラグイン」インストールを促す画面の表示と、外部の攻撃者インフラからのスクリプト読み込みを仕込む構成 ・偽プラグイン経由で利用者の端末にはCobalt StrikeのBEACONが投入された。ペイロードの暗号鍵に被害組織の名称が使われており、組織ごとに専用ペイロードが事前準備されていたことを示唆する ・検知の手がかりとして、WindowsアプリケーションログのイベントID 1316(ASP[.]NETのViewState検証失敗)、w3wp[.]exeからのcmd[.]exeやpowershell[.]exeの子プロセス生成、[.]js・[.]aspx・[.]configファイルへの不審な変更、2つのブラウザ識別子を連結した異常なUser-Agentが挙げられている ・対策はmachineKeyをインスタンスごとに推測困難な固有の値へ即時変更すること。あわせて可能であれば、LMSへのアクセスを組織が把握するIPレンジに限定し、侵害有無の能動的な確認と、兆候が見つかった場合の徹底調査が推奨されている ベンダーが配布する標準設定のなかに同じ秘密鍵を含めてしまう構成は、1件の鍵漏洩が無関係な組織にまで被害を連鎖させうるリスクを示した事例です。 KnowledgeDeliverは日本で広く利用されており、2026年2月24日より前に導入され、共通鍵を変更していない環境が影響対象とのことです。 詳細は以下を参照： cloud.google.com/blog/topics…

Old technique, new zero-day CVE-2026-5426 in KnowledgeDeliver is related to hardcoded machine keys enabling ViewState deserialization attacks. If you're a defender in APJ, but especially Japan, this may be relevant to you: EN: cloud.google.com/blog/topics… JP: cloud.google.com/blog/ja/top…

Mandiant reported a CVE-2026-5426 ViewState deserialization exploiting shared KnowledgeDeliver machine keys, enabling unauthenticated RCE, BLUEBEAM web shell deployment, file tampering, and Cobalt Strike infection across targeted LMS deployments. cloud.google.com/blog/topics…

ViewState デシリアライゼーション脆弱性の悪用 → goo.gle/42Uefwd Mandiant が対応した、KnowledgeDeliver が稼働するウェブサーバーの侵害の経緯と緩和策を公開。KnowledgeDeliver の悪用は、導入テンプレートにおける共有シークレットの使用が深刻な被害を招くことを浮き彫りにしました。

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability cloud.google.com/blog/topics…

Critical KnowledgeDeliver LMS zero-day (CVE-2026-5426) exploited via hardcoded ASP.NET machine keys. Threat actors achieved unauthenticated RCE, deployed in-memory web shells, and infected visitors with Cobalt Strike through fake security prompts. Technical breakdown: • Vulnerability: Identical machineKey values across deployments enabled ViewState deserialization attacks (pre-Feb 24, 2026 installs) • Post-exploitation: BLUEBEAM web shell in w3wp.exe memory, icacls privilege escalation, JavaScript injection for fake security alerts • Attack chain: ViewState RCE → BLUEBEAM deployment → file tampering → Cobalt Strike distribution via social engineering • Detection artifacts: Event ID 1316 with "Event code: 4009" indicating ViewState failures, suspicious w3wp.exe child processes (cmd.exe, whoami, powershell) • IOCs: Anomalous concatenated User-Agent strings, unauthorized .js/.aspx modifications in web root Hunt for Event ID 1316 from ASP.NET sources and w3wp.exe spawning system commands. Full detection rules available in Mandiant SecOps rule packs. #DFIR_Radar

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability ift.tt/gldt2vM

Looking forward to it! As someone who spent years staring at MVC ViewState and the problems it created, followed by waterfall queries and the problems they created, RSC as a concept excites me. Eager to learn more about what's under the hood in TanStack land.

🔒 Private DFIR Report: ViewState of Mind: Gladinet Exploit Opens the Door In January, we observed a threat actor gain initial access to an environment by exploiting CVE-2025-30406 on an exposed Gladinet CentreStack server. Looking at the network traffic at the time of this connection showed large VIEWSTATE payloads being sent to the server. Based on this pattern in the network traffic, the command execution from the IIS server, and the version of Gladinet CentreStack, we assessed that the threat actor successfully exploited CVE-2025-30406 for initial access in this intrusion. Private report — request access or a demo: thedfirreport.com/products/t…

ahh that part yes - closer analogy would be the old asp dot net web forms and viewstate. similar issues / footguns

🧩 CVE‑2026‑5426 – Digital Knowledge KnowledgeDeliver ViewState RCE (Critical): A hard-coded ASP.NET/IIS machineKey in KnowledgeDeliver deployments before February 24, 2026 lets attackers bypass ViewState validation and send malicious ViewState payloads that can execute arbitrary code remotely. CVSS 9.8, published today, with vendor and third-party advisories tracking the issue as critical. tenable.com/cve/CVE-2026-542… #CVE20265426 #ASPNet #IIS #RCE #WebAppSec #ThreatIntel

@hackeriron1 always lock-in. So glad I have a team member like him Bug: ViewState Deserialisation #BugBounty #Bugbountytips

KYK WiFi portalının yavaşlığına karşı geliştirilen çoğu çözüm sadece basit bir HTTP isteğinden ibaret. GSBLOGİN'i piyasadaki benzerlerinden ayıran detaylar: Akıllı Session Yönetimi (ViewState - AJAX) Kullanıcıların en büyük kabusu olan "Maksimum cihaz hakkı dolu" hatasını otomatize ettim. Uygulama, portal üzerindeki gizli ViewState token'larını gerçek zamanlı yakalıyor ve AJAX istekleriyle diğer aktif oturumları saniyeler içinde sonlandırarak yeni bir tünel açıyor. Algoritmik Veri Doğrulama (Checksum) Hatalı TC Kimlik girişi gibi operasyonel hataları ağ trafiği oluşturmadan engelliyorum. Python seviyesinde kurguladığım 10 haneli checksum algoritması, geçersiz bir verinin merkezi sunucuyu meşgul etmesini henüz yereldeyken önlüyor. Güvenli Girdi ve Maskeleme Kullandığım GetPass implementasyonu sayesinde, şifre girişleri terminalde birer karakter izi bile bırakmadan RAM seviyesinde işleniyor. Güvenlik, projenin sadece kodunda değil kullanıcı deneyiminin her aşamasında önceliğim oldu. Çapraz Platform Mimarisi PyInstaller entegrasyonu için sys.frozen kontrolleriyle desteklenen dizin yönetimi sayesinde, oluşturulan binary dosyalar .env konfigürasyonlarını her işletim sisteminde hatasız çözümlüyor. Windows, Linux ve macOS üzerinde tek tıkla çalışmaya hazır (Ready-to-distribute). Amacım sadece bir portal girişi değil, uçtan uca hatasız çalışan bir mikro-otomasyon sistemi kurgulamaktı. Teknik dökümantasyon ve kaynak kodları GitHub'da yayında: Yorumda

The .ASPX days were so good. And now Htmx and Datastar have brought back UpdatePanels and ViewState. 🫡 runat="server"

Of course frontend has a concept of architecture. The short version is we learned what you are suggesting doesn't work well in this space. The history of web development answers your question. There is a category of data, we refer to as "state", that is ephemeral. Now we can define ephemeral in different ways since everything persists somewhere but the key is that the ownership of this state is very much tied to the User Interface. Focus, selection state, as so on are shallow examples of this, but you can also think of this in terms of projections of those too. This category only gets larger as things become more interactive. Early web development did not exactly understand this. And when our life began on the server we'd lose this information between actions. POST a form, bye bye state. Now we wised up to that and started serializing it back and forth. ASP.NET had it's ViewState and so on. But we hit a fork in the road in mid 2000s because keeping ephemeral UI state on the server didn't scale great. We wanted RESTful backends, so we could spin up microservices. MVC became king. Its simple model fit: Model (persistent data), View (projection of that data), Controller (singleton that wires it up). What is missing is this non-persisted state. This worked pretty well for simple things. But sort of ignored the problem. Which was ok because people wanted quicker interactivity so more and more started moving to the client. Dawn of SPAs recognized that a more structured approach needed to be taken on the client. So what did we do? We tried to bring our MVC there. Angular, Backbone, Ember, these frameworks followed it. But a pattern started emerging.. we had this thing that had no place. Singleton controllers didn't cut it. `$scope` in angular is the most obvious. And as any early Angular dev will attest became a huge mess, but Ember also started adding all these new concepts, It was more like MVC(insert 12 more letters here). But this was the problem. In fact the misery that was Angular.js => Angular 2 was IMO motivated almost entirely because of this unreconcilable gap in design. React wasn't the first to realize this though. MVVM frameworks like Knockout.js replaced Controller singletons with per View (or per Model) instance wrappers as a natural place to hold this ephemeral state. The VM standing for View Models. But I'd say React was the first to consolidate on a pattern that was already happening in the wild. For better or for worse VMs did much more tightly couple things. Pretending these things weren't coupled just made traceability very difficult. React owned it and was like there is a natural split between the Model and the VM but the VM and the V are not benefiting from the seperation. And thus Components were born. But people early days still really liked their separation. So we built really complicated stores. So we could model all but the most ephemeral state as a sort of hoisted Client model. Early attempts were really awkward because synchronization became really buggy. So work went into making this predictable, singular so that state couldn't get out of sync. Redux comes to mind. But there was this tension. Lifecycles were clearly tied to the UI, so there was this constant issue around either holding too much state that was unnecessary or needing to like register/unregister. Obviously things like Angular had services and DI as their approach. But the problems were the same. Around the mid 2010s... thanks largely to GraphQL it became better understood that except for where the user was the source we could basically view state as derived from the server. When people started using it, the need for Client side stores shrunk considerably. This evolved eventually into things like React Query. Now even though the sources no longer needed management, we still have this derived state graph running through our components. It might not be as obvious because of say the way React re-runs components. But by 2018 with the introduction of Hooks you could start seeing it right in front of you. An irony not lost on me because it was like looking at 2010 Knockout.js code. The result while not realized completely mechanically is an acknowledgement that State and UI are not easily separable, they overlap. Modeling Component === state like early React might have oversimplified things, but something like MVC categorically misses. A lot of the progress in the last 5 years around Signals is based on preserving these 2 graphs(UI, State) ability to co-exist in a way that is natural. As projects get larger it is the only sane approach to modularity. It's arguable that patterns around strict contracts/regions should be solidified into concepts, and to be fair boundaries around errors and loading(Suspense) do contain these things. We have natural boundaries around nested route sections (tied to URL subpaths). But each graph has their own mostly homogenous primitives so those coordination points are extra concepts, and because of the fluidity of this relationship being too strict here will cause you great pain later. So architecture is very much at the top of mind of those designing these systems and tools. However, frontend web is also the most accessible platform. So I don't expect every bootcamp dev to know, understand, or appreciate these things. The structure we have created to allow this modularity and co-location can also be greatly abused. Partially because new devs can be "productive" within their small slice. Which is by design and generally beneficial. But doesn't bestow the same sort of architectural purity and rigor one might expect to find in such large complex systems. To me this is more cultural than an engineering. The information is out there. We're living in it, but who needs to know? It's hard because people who know a bit more keep respinning on the same expectations of what doesn't work and take few steps in before they realize it. And I think a lot of engineers outside of frontend have no appreciation for it.

Marketplace y gestión de add-ons • Arquitectura modular: instalación/actualización desde Administrar complementos (pestañas Instalado y Mercado), con estados Release/Beta/Alpha. • Carga manual de add-ons en entornos offline. • Pantalla de extensiones: habilitar/deshabilitar extensiones (con dependencias y reinicio cuando aplique). Colecciones recomendadas • Paquete Pentester: control de acceso, surface detector, fuzzer diccionarios (FuzzDB/SVN Digger), soporte JWT, subida de ficheros, Wappalyzer, vista JSON, ViewState, solicitante, Eval Villain (DOM XSS), etc. • Paquete de reglas de escaneo: reglas activas/pasivas (release/beta/alpha) y DOM XSS; Retire.js para JS vulnerable. Add-ons destacados • Browser View (render como navegador con JavaFX). • Bug Tracker (crear issues en GitHub/Bugzilla desde alertas). • Call Graph (grafo de llamadas). • Software Risk Manager (generar y subir informes). • JSON View, Neonmarker (colorear por etiquetas). • Plug-n-Hack (config rápida del navegador y eventos cliente para DOM testing). • Postman Support (importar colecciones; anular variables/endpoint). • Revisit (servir desde historial por rango temporal, útil para regresiones). • Server-Sent Events (captura SSE). • Token Gen & Analysis (entropía/aleatoriedad de tokens; opciones de hilos y delay). • Invoke Applications (lanzar Nmap u otros con %url%, %host%, etc.). • Diff (comparar 2 requests/responses). • Dev (mini web de pruebas: auth, CSRF, OpenAPI, secuencias). • Form/Value Generator (valores por campo/regex para poblar formularios). • Custom Payloads (tabla/API para cargas por categoría, habilitar/deshabilitar/importar). • Data-Driven Content & Structural Modifiers (nodos basados en datos y parámetros estructurales para que el Árbol de Sitios represente la app real y el escaneo sea eficaz). • Labels & Alert Tags (etiquetas en historial que se propagan a alertas, incl. clave=valor). • SBOM (CycloneDX de core y add-ons; export ZIP por UI/CLI/API). • Stats (exposición vía API/StatsD). • DB Options (compactación, límites de cuerpo, persistencia). • Display Options (layouts, tamaños “large body”, fuentes, timestamps). • Linux WebDrivers (drivers incluidos y gestión en Selenium Options). Flujos útiles para pentest/DevSecOps • Instalar Paquete Pentester Paquete de reglas → ampliar detección rápida. • Ajustar modificadores estructurales (data-driven/structural params) para reducir ruido y tiempo de escaneo. • Importar Postman para poblar el árbol, luego active scan con payloads personalizados. • Usar Revisit para comparar comportamientos entre despliegues. • Conectar Bug Tracker / Software Risk Manager para canalizar hallazgos a equipos. • Generar SBOM y estadísticas para reporting continuo. • Neonmarker Labels para priorización visual durante sesiones largas. Notas de seguridad/ética • Instala y usa add-ons solo en entornos con permiso explícito. • Evita exponer credenciales/tokens en reglas de Replacer/Invoke/Labels. • Al usar Revisit/SSE/Plug-n-Hack, recuerda que se inyecta contenido: úsalo en labs/staging.