Microsoft .NET Hidden 'ViewState' Detection
Info Nessus Network Monitor Plugin ID 5081
SynopsisThe remote .NET application stores state information within a hidden form field.
DescriptionThe remote .NET application stores state information within a hidden form field. Further, the information is not hashed. Given this, an attacker can modify the ViewState string in transit and possibly alter the state or output of the .NET application.
SolutionEnable hashing of the ViewState string. This can be accomplished by setting 'enableViewStateMac="true"' in the configuration file. See the referenced MSDN article for more information.