logo

ASP.NET ViewState Integrity

  • Risk:
  • High

  • Type:
  • Passive
Summary

The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client

Solution

Ensure that all ASP.NET ViewStates are protected from tampering, by using a MAC, generated using a secure algorithm, and a secret key on the server side. This is the default configuration on modern ASP.NET installation, by may be over-ridden programmatically, or via the ASP.NET configuration.

References

https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)

https://www.jardinesoftware.net/2012/02/06/asp-net-tampering-with-event-validation-part-1/

Free security scan for your website