Viewstate
ID |
viewstate |
Severity |
critical |
Kind |
Session Management |
CWE |
642 |
Description
-
Potential IP Addresses Found in the Viewstate: Potential IP addresses were found being serialized in the viewstate field.
-
Emails Found in the Viewstate: Email addresses were found being serialized in the viewstate field.
-
Old Asp.Net Version in Use: This website uses ASP.NET version 1.0 or 1.1.
-
Viewstate without MAC Signature (Unsure): This website uses ASP.NET’s Viewstate but maybe without any MAC.
-
Viewstate without MAC Signature (Sure): This website uses ASP.NET’s Viewstate but without any MAC.
-
Split Viewstate in Use: This website uses ASP.NET’s Viewstate and its value is split into several chunks.
Rationale
ASP.NET ViewState without MAC (Message Authentication Code) protection allows attackers to tamper with serialized state data sent to the client. An attacker can decode the ViewState, modify values like user roles or prices, re-encode it, and send it back to manipulate application logic. Older ASP.NET versions and unprotected ViewState also risk information disclosure when sensitive data like IP addresses or emails are serialized. Without cryptographic integrity checks, the server cannot distinguish legitimate ViewState from attacker-modified versions, enabling privilege escalation and data manipulation attacks.
Remediation
Enable ViewState MAC protection by setting enableViewStateMac="true" in web.config or machine.config. Upgrade to a supported ASP.NET version (4.5 or later) which enforces MAC by default. Encrypt ViewState using the ViewStateEncryptionMode property if it contains sensitive data. Avoid storing sensitive information like IP addresses or email addresses in ViewState. Use the machineKey element to configure strong encryption and validation keys.