Vulnerabilities/

ViewState is not Encrypted

Impact: Informational

Description

The ViewState is a hidden form input in ASP.NET pages which is used automatically to persist information such as non-default values of controls. It is also possible to store application data specific to a page in the ViewState. If the ViewState is not encrypted, anyone can see stored values in it.

Recommendation

Do not store sensitive values in the ViewState and enable encryption for it. To enable ViewState encryption for the whole application, add the below lines to the pages node under system.web of the Web.Config.

<system.web>
  <pages viewStateEncryptionMode="Always" />
</system.web>

To enable encryption for a specific page add the below line at the top of the page:

<%@Page ViewStateEncryptionMode="Always" %>

References

👉 You might also like:

ASP.NET Version Disclosure - Vulnerability

PHP Version Disclosure - Vulnerability

X-Powered-By Header Found - Vulnerability

Apache Version Disclosure - Vulnerability

Last updated on July 07, 2021

Use SmartScanner Free version to test for this issue

Download