/vulndb/ViewState Not Encrypted

The ViewState is a field used in ASP.NET applications to save the current state of the application. If it’s used to store sensitive data, like user’s details, it should be properly encrypted to maintain the confidentiality of the data.

Without strong encryption an attacker is able to read the ViewState content since by default the value of the field is only encoded in base64 form.

Solution

The ASP.NET ViewState field should be encrypted.

References

http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12