So for this weekend I am trying to create a Python script that will try to brute force my password by reading a file. I am practising it on my private lab which is running IIS. I can easily do this on a Apache server with CSRF token but IIS is a completely different beast.
The problem is that, IIS also sends some other headers that I am not familiar with. I don’t know how to handle the following headers:
__EVENTTARGET=
__EVENTARGUMENT=
__VIEWSTATE=
__VIEWSTATEGENERATOR=
When I send the POST request along with my credentials, I see the above four headers is also appended to my login data (username and password). I examined my request through the browser using Burp and I see that EVENTTARGET and EVENTARGUMENT is blank, I see VIEWSTATE has some value and VIEWSTATEGENERATOR has some random value as well. But when I send a GET request to my login.aspx page, I only get a value for VIEWSTATE and no value for VIEWSTATEGENERATOR.
What am I supposed to do with these? I am not that familiar with IIS which is why I am trying to do this fun project.