ASP.NET ViewState Integrity

Risk:
High

Type:
Passive

CWE:
CWE-642

Summary: The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client

Solution: Ensure that all ASP.NET ViewStates are protected from tampering, by using a MAC, generated using a secure algorithm, and a secret key on the server side. This is the default configuration on modern ASP.NET installation, by may be over-ridden programmatically, or via the ASP.NET configuration.

References

https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)

https://www.jardinesoftware.net/2012/02/06/asp-net-tampering-with-event-validation-part-1/

Free security scan for your website

Don't show website scan report rating on the leaderboard