Vulnerabilities/

ViewState is not Encrypted

Severity:: Informational

Description

The ViewState, a hidden form input in ASP.NET pages, automatically persists information and application data specific to a page. If the ViewState is not encrypted, its contents can be easily viewed by anyone, potentially exposing sensitive information.

Recommendation

To enhance security, avoid storing sensitive values in the ViewState and enable encryption for it. For the entire application, enable ViewState encryption by adding the specified configuration to the Web.Config file under the system.web node:

<system.web>
  <pages viewStateEncryptionMode="Always" />
</system.web>

Alternatively, for specific pages, enable encryption by adding the provided directive at the top of each page:

<%@Page ViewStateEncryptionMode="Always" %>

References

CWE-16
CWE-200
CAPEC-118
OWASP 2021-A5

Related Issues

ASP.NET Version Disclosure - Vulnerability
Content Character Encoding is not Defined - Vulnerability
Auto Complete Enabled Password Input - Vulnerability
Content-Security-Policy Header is Missing - Vulnerability

Tags:: Information Disclosure; Application Misconfiguration; ASP.NET; Data Security

Anything's wrong? Let us know Last updated on May 13, 2024