AspNetEnforceViewStateMacregistry key to zero in:
_VIEWSTATEGENERATORparameter isn't sent by the server you don't need to provide the
--generatorparameter but these ones:
__VIEWSTATE_parameter from the users even if
ViewStateEncryptionModehas been set to Always. ASP.NET only checks the presence of the
__VIEWSTATEENCRYPTEDparameter in the request. If one removes this parameter, and sends the unencrypted payload, it will still be processed.
__VIEWSTATEENCRYPTEDparameter from the request in order to exploit the ViewState deserialization vulnerability, else it will return a Viewstate MAC validation error and exploit will fail as shown in Figure:
machineKeyparamter of web.config file.
__VIEWSTATEGENERATORyou can try to use the
--generatorparameter with that value and omit the parameters