Configuration: ASP.NET ViewState MAC Validation Disabled¶
Identifier:
asp_net_view_state_mac_validation_disabled
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner |
|---|---|---|
Description¶
In ASP.NET, the ViewState is a complex object that contains the state of the page and internal data of the application, user, and context. The ViewState is authenticated using a MAC (Message Authentication Code) to ensure that it is not tampered with. If the MAC is disabled, the ViewState is not authenticated and can be tampered with. This can be exploited by an attacker to execute arbitrary code on the server, change values, switch users and more.
Configuration¶
Example¶
Example configuration:
---
security_tests:
asp_net_view_state_mac_validation_disabled:
assets_allowed:
- WEBAPP
skip: false
Reference¶
assets_allowed¶
Type : List[AssetType]*
List of assets that this check will cover.
skip¶
Type : boolean
Skip the test if true.