Security Test: ASP.NET ViewState Encryption Disabled¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

In ASP.NET, the ViewState is a complex object that contains the state of the page and internal data of the application, user, and context. The ViewState is encrypted using a symmetric key to ensure that it is not tampered with and cannot be read by an attacker. If the encryption is disabled, the ViewState is not encrypted and can be read by an attacker. This poses a risk when the ViewState is used to store sensitive data, like passwords, tokens, or other confidential information, and the users or attackers are not supposed to see it (only manipulate it blindly).

Reference:

https://devblogs.microsoft.com/dotnet/secure-asp-net-viewstate/
- https://www.troyhunt.com/understanding-and-testing-for-view/

Configuration¶

Identifier: frontend_injection/asp_net_viewstate_encryption_disabled

Examples¶

All configuration available:

checks:
  frontend_injection/asp_net_viewstate_encryption_disabled:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	A02:2021
OWASP LLM Top 10	LLM02:2023
PCI DSS	`3.4`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-4`
CWE	`311`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`5.1`