logo

ASP.NET ViewState Integrity

  • Risk:

  • High

  • Type:
  • Passive
Summary
The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client
Solution
Ensure that all ASP.NET ViewStates are protected from tampering, by using a MAC, generated using a secure algorithm, and a secret key on the server side. This is the default configuration on modern ASP.NET installation, by may be over-ridden programmatically, or via the ASP.NET configuration.
References

https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)

https://www.jardinesoftware.net/2012/02/06/asp-net-tampering-with-event-validation-part-1/

Back <<