Base64 Disclosure
ID |
base64_disclosure |
Severity |
critical |
Kind |
Information Disclosure |
CWE |
319 |
Description
-
ASP.NET ViewState Disclosure: An ASP.NET ViewState was disclosed by the application/web server.
-
ASP.NET ViewState Integrity: The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client.
-
Base64 Disclosure: Base64 encoded data was disclosed by the application/web server. Note: in the interests of performance not all base64 strings in the response were analyzed individually, the entire response should be looked at by the analyst/security team/developer(s).
Rationale
Base64-encoded data disclosure exposes potentially sensitive information that applications attempted to obfuscate through encoding rather than proper encryption. Attackers easily decode Base64 strings to reveal credentials, tokens, session identifiers, or internal system details. ASP.NET ViewState without MAC protection allows attackers to decode, modify, and re-encode ViewState data to manipulate application state, escalate privileges, or inject malicious data. The vulnerability provides attackers with reconnaissance information and potential attack vectors by revealing data structures, parameters, and values the application intended to protect.
Remediation
Enable ViewState MAC protection in ASP.NET applications using secure algorithms and server-side secret keys. Verify this is enabled in web.config or application settings. Do not use Base64 encoding as a security mechanism since it provides only obfuscation, not confidentiality. Encrypt sensitive data before encoding if it must be transmitted in responses. Review all Base64-encoded values to ensure they do not contain credentials, tokens, or other sensitive information. Use proper encryption with strong algorithms for protecting sensitive data in transit and at rest.