The viewstate or application's pages are already encrypted but looking at the Burp output of the response from a POST to the Telerik.UI.DialogHandler (ImageMananger) it seems the Telerik view state in the response appears not to be.
We've generated and specified the DialogParametersEncryptionKey, ConfigurationEncryptionKey, and ConfigurationHashKey keys in the site level web.config as described in article https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security. This didn't change the viewstate.
The machine key in IIS is set for auto-generation.
I'm only assuming the Telerik viewstate can be encrypted because what I've read seems to imply that, but I haven't found a clear example so I'm not sure.
6 Answers, 1 is accepted
Yesterday, I converted your forum thread to a General Feedback ticket due to that I requested more info for your project.
I am pasting my answer here, but let's continue the discussion there:
Thank you for reporting this problem!
I converted the forum to a private ticket since its resolution might require information for your project.
Can you please perform two steps and report the result:
- test with the latest version 2020.1.219 (R1 2020 SP1) - for your convenience I have attached the trial assembly of the latest release.
- set this attribute in the web.config file, save it and retest:
<appSettings> <add key="Telerik.ScriptManager.EnableHandlerEncryption" value="true"/> ... <appSettings>
If the problem still persists, please provide the web.config of your project plus a link or the name of the tool you use to inspect and decode the ViewState
Our thoughts here at Progress are with those affected by the outbreak.
We are using burp suite tool and that shows the view state for radeditor when we try to insert the image.
I have also added EnableHandlerEncryption in web.config and still we are getting same issue.
Telerik assembly version that we are using is : 2020.1.114.45
Let me know if you need more information, I can share them with you.
Can you please record and provide a short video demonstrating the RadEditor configuration, the web.config file and how do you replicate the viewstate scenario in Burp? This will help me to recreate the scenario.
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Thanks you for quick response.
I do not see any option to attach video here, so I am attaching the screenshots.
ImageEditor_1: In RadEditor I have clicked on imager manager and selected the image (I have only selected the image in radeditor).
BurpSuite_1: After following above step, I checked the logs in burp suite and found that view state is not encrypted.
I have added below line in appsettings of web.config:
I have added code snippet for rad editor below:
Can you please change the TargetFramework of the application to 4.5 or later and test again:
<compilation debug="false" targetFramework="4.8" /> <httpRuntime targetFramework="4.8" /> <pages viewStateEncryptionMode="Always" enableViewStateMac="true"> <controls> <add tagPrefix="telerik" namespace="Telerik.Web.UI" assembly="Telerik.Web.UI" /> </controls> </pages> <httpHandlers>
This should do the trick:
The EnableHandlerEncryption setting is responsible only for the URL querystring encryption of the Telerik handlers, it does not encrypt the ViewState. The ViewState encryption is handler by the .NET framework.
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.
Thanks for your quick help, that has fixed the issue.