hunt-aspnet

## Crown Jewel Targets ASP.NET deserialization bugs pay among the highest amounts in bug bounty when they reach RCE. Even when patched, the disclosure-tier findings (signed-only ViewState, dual-parser differential, request-validator quirks) reliably pay Low-Medium. **Highest-value targets:** - **SharePoint farms** (any version — 2013/2016/2019/SE) — sign-only ViewState + permissive ToolPane.aspx + anonymous FormDigest creates the CVE-2025-53770 ToolShell precondition chain - **Telerik UI for ASP.NET AJAX** — `Telerik.Web.UI.WebResource.axd` is a documented RCE sink when keys leak (CVE-2017-11317, CVE-2017-11357, CVE-2019-18935) - **Classic ASP.NET Webforms enterprise apps** — banking portals, dealer portals, HR systems left on .NET Framework 4.x - **WCF services** (`*.svc?WSDL`) — often forgotten admin endpoints with looser auth than the main app - **Sitecore CMS** — ViewState + Sitecore-specific deserialization chains (CVE-2021-42237) - **DotNetNuke (DNN)** — historic ViewState RCE chains - **Umbraco CMS** — ViewState + custom deserialization sinks **Asset types that pay most:** internet-reachable ASP.NET Webforms apps > WCF admin services > Telerik-integrated sites > Classic ASP.NET MVC with VSF (very rare) --- ## Attack Surface Signals **Response headers indicating ASP.NET:** ``` X-AspNet-Version: 4.0.30319 (classic — disclosure on its own) X-Powered-By: ASP.NET X-AspNetMvc-Version: 5.2 Server: Microsoft-IIS/10.0 Set-Cookie: ASP.NET_SessionId=... Set-Cookie...