Skip to content

Configuration: ASP.NET ViewState Encryption

Identifier: asp_net_view_state_encryption

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

In ASP.NET, the ViewState is a complex object that contains the state of the page and internal data of the application, user, and context. The ViewState is encrypted using a symmetric key to ensure that it is not tampered with and cannot be read by an attacker. If the encryption is disabled, the ViewState is not encrypted and can be read by an attacker. This poses a risk when the ViewState is used to store sensitive data, like passwords, tokens, or other confidential information, and the users or attackers are not supposed to see it (only manipulate it blindly).

Configuration

Example

Example configuration:

---
security_tests:
  asp_net_view_state_encryption:
    assets_allowed:
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.