The other day I had cause to trigger an event firing in ASP.Net without actually having the user trigger the event, so I went about figuring out how that worked. It was simpler than I thought it would be, and it got me thinking about triggering events maliciously. I put together a vulnerable sample project, went to trigger it, and ran smack into ASP.Net Event Validation - which exists to thwart this exact attack. Disappointing
But I remembered other cases where I had run into it, and I refreshed myself by reading K Scott Allen's blog posts (first result on google too!). Long story short, even though Event Validation exists, it may not always be turned on - because there are legitimate places where it makes life super annoying.
So here's how to hack it if Event Validation is turned off. And a good reminder to developers why you should think twice before disabling it on a single page (or god forbid - site-wide).