Custom HTTP Brute Force Fun Project

So for this weekend I am trying to create a Python script that will try to brute force my password by reading a file. I am practising it on my private lab which is running IIS. I can easily do this on a Apache server with CSRF token but IIS is a completely different beast.

The problem is that, IIS also sends some other headers that I am not familiar with. I don’t know how to handle the following headers:

When I send the POST request along with my credentials, I see the above four headers is also appended to my login data (username and password). I examined my request through the browser using Burp and I see that EVENTTARGET and EVENTARGUMENT is blank, I see VIEWSTATE has some value and VIEWSTATEGENERATOR has some random value as well. But when I send a GET request to my login.aspx page, I only get a value for VIEWSTATE and no value for VIEWSTATEGENERATOR.

What am I supposed to do with these? I am not that familiar with IIS which is why I am trying to do this fun project.

Seeing those variables/headers, I assume that your web application is running ASP.NET You might want to research about ASP.NET ViewState to understand what is going on. Very roughly, the ViewState can be seen as an extended CSRF token, that optionally gets encrypted.

Didn’t read it, but this one looks like a good starting point: What Is View State And How It Works In ASP.NET