Security Test: ASP.NET ViewState MAC Disabled¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
In ASP.NET, the ViewState is a complex object that contains the state of the page and internal data of the application, user, and context. The ViewState is authenticated using a MAC (Message Authentication Code) to ensure that it is not tampered with. If the MAC is disabled, the ViewState is not authenticated and can be tampered with. This can be exploited by an attacker to execute arbitrary code on the server, change values, switch users and more.
Reference:
- https://www.troyhunt.com/understanding-and-testing-for-view/
- https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/
- https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/ms972976(v=msdn.10)
- https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.page.enableviewstatemac?view=netframework-4.8
- https://devblogs.microsoft.com/dotnet/cryptographic-improvements-in-asp-net-4-5-pt-2/
Configuration¶
Identifier:
frontend_injection/asp_net_viewstate_mac_disabled
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | A08:2021 |
| OWASP LLM Top 10 | LLM02:2023 |
| PCI DSS | 6.5.8 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 353 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |