Microsoft .NET Hidden 'ViewState' Detection

Info Nessus Network Monitor Plugin ID 5081

Synopsis

The remote .NET application stores state information within a hidden form field.

Description

The remote .NET application stores state information within a hidden form field. Further, the information is not hashed. Given this, an attacker can modify the ViewState string in transit and possibly alter the state or output of the .NET application.

Solution

Enable hashing of the ViewState string. This can be accomplished by setting 'enableViewStateMac="true"' in the configuration file. See the referenced MSDN article for more information.

See Also

http://msdn.microsoft.com/en-us/library/ms972976.aspx

Plugin Details

Severity: Info

ID: 5081

Family: Data Leakage

Published: 2004/08/18

Modified: 2015/06/01

Risk Information

Risk Factor: Info