/vulndb/ViewState not Signed

The ViewState is a field used in ASP.NET applications to save the current state of the application. To avoid data tampering the ViewState value should be signed by enforcing a MAC (Machine Authentication Check) mechanism.

An attacker may be able to tamper the value of the ViewState by deserializing it, edit its content and encode it back. The severity of this depends on the kind of data that is stored inside the field. For example ViewState can be used to store user credentials or even application state, which may indicate the user access level.

Solution

The ASP.NET ViewState field should be MAC (Machine Authentication Check) enabled.

References

http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12