Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft .NET Hidden 'ViewState' Detection

Info

Synopsis

The remote .NET application stores state information within a hidden form field.

Description

The remote .NET application stores state information within a hidden form field. Further, the information is not hashed. Given this, an attacker can modify the ViewState string in transit and possibly alter the state or output of the .NET application.

Solution

Enable hashing of the ViewState string. This can be accomplished by setting 'enableViewStateMac="true"' in the configuration file. See the referenced MSDN article for more information.