Vulnerabilities/

ViewState is not Encrypted

Impact: Informational

Description

The ViewState, a hidden form input in ASP.NET pages, automatically persists information and application data specific to a page. If the ViewState is not encrypted, its contents can be easily viewed by anyone, potentially exposing sensitive information.

Recommendation

To enhance security, avoid storing sensitive values in the ViewState and enable encryption for it. For the entire application, enable ViewState encryption by adding the specified configuration to the Web.Config file under the system.web node:

<system.web>
  <pages viewStateEncryptionMode="Always" />
</system.web>

Alternatively, for specific pages, enable encryption by adding the provided directive at the top of each page:

<%@Page ViewStateEncryptionMode="Always" %>

References

👉 You might also like:

ASP.NET Version Disclosure - Vulnerability

Missing or Insecure Cache-Control Header - Vulnerability

PHP Version Disclosure - Vulnerability

X-Powered-By Header Found - Vulnerability

Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue

Download