ASP.NET ViewState Integrity
- Risk:
High
- Type:
- Passive
- CWE:
- CWE-642
- Summary
The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client
- Solution
Ensure that all ASP.NET ViewStates are protected from tampering, by using a MAC, generated using a secure algorithm, and a secret key on the server side. This is the default configuration on modern ASP.NET installation, by may be over-ridden programmatically, or via the ASP.NET configuration.
Free security scan for your website