ViewState is not Encrypted
Impact: Informational
Description
The ViewState is a hidden form input in ASP.NET pages which is used automatically to persist information such as non-default values of controls. It is also possible to store application data specific to a page in the ViewState. If the ViewState is not encrypted, anyone can see stored values in it.
Recommendation
Do not store sensitive values in the ViewState and enable encryption for it.
To enable ViewState encryption for the whole application, add the below lines to the pages
node under system.web
of the Web.Config
.
<system.web>
<pages viewStateEncryptionMode="Always" />
</system.web>
To enable encryption for a specific page add the below line at the top of the page:
<%@Page ViewStateEncryptionMode="Always" %>
References
👉 You might also like:
ASP.NET Version Disclosure - Vulnerability
PHP Version Disclosure - Vulnerability
X-Powered-By Header Found - Vulnerability
Apache Version Disclosure - Vulnerability
Last updated on July 07, 2021