| Details | |
|---|---|
| Alert ID | 10094-2 |
| Alert Type | Passive |
| Status | alpha |
| Risk | High |
| CWE | 642 |
| WASC | 13 |
| Technologies Targeted | All |
| Tags |
CWE-642 OWASP_2017_A03 OWASP_2021_A04 |
| More Info |
Scan Rule Help |
Summary
The application does not use a Message Authentication Code (MAC) to protect the integrity of the ASP.NET ViewState, which can be tampered with by a malicious client.
Solution
Ensure that all ASP.NET ViewStates are protected from tampering, by using a MAC, generated using a secure algorithm, and a secret key on the server side. This is the default configuration on modern ASP.NET installation, by may be over-ridden programmatically, or via the ASP.NET configuration.Other Info
References
- https://learn.microsoft.com/en-us/previous-versions/bb386448(v=vs.140)
- https://www.jardinesoftware.net/2012/02/06/asp-net-tampering-with-event-validation-part-1/