ViewState is not Encrypted
Impact: Informational
Description
The ViewState, a hidden form input in ASP.NET pages, automatically persists information and application data specific to a page. If the ViewState is not encrypted, its contents can be easily viewed by anyone, potentially exposing sensitive information.
Recommendation
To enhance security, avoid storing sensitive values in the ViewState and enable encryption for it. For the entire application, enable ViewState encryption by adding the specified configuration to the Web.Config
file under the system.web
node:
<system.web>
<pages viewStateEncryptionMode="Always" />
</system.web>
Alternatively, for specific pages, enable encryption by adding the provided directive at the top of each page:
<%@Page ViewStateEncryptionMode="Always" %>
References
👉 You might also like:
ASP.NET Version Disclosure - Vulnerability
Missing or Insecure Cache-Control Header - Vulnerability
PHP Version Disclosure - Vulnerability
X-Powered-By Header Found - Vulnerability
Last updated on May 13, 2024