Configuration: ASP.NET ViewState MAC Validation Disabled¶

Identifier: asp_net_view_state_mac_validation_disabled

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

In ASP.NET, the ViewState is a complex object that contains the state of the page and internal data of the application, user, and context. The ViewState is authenticated using a MAC (Message Authentication Code) to ensure that it is not tampered with. If the MAC is disabled, the ViewState is not authenticated and can be tampered with. This can be exploited by an attacker to execute arbitrary code on the server, change values, switch users and more.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  asp_net_view_state_mac_validation_disabled:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.