Skip to content

Configuration: ASP.NET ViewState Encryption

Identifier: asp_net_view_state_encryption

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

ASP.NET ViewState without encryption can be read by attackers, posing a risk when ViewState stores sensitive data such as passwords, tokens, or other confidential information.

How we test: We analyze ASP.NET ViewState data in responses to detect if encryption is disabled. We attempt to decode ViewState values to verify if they are encrypted and check if sensitive data stored in ViewState is properly protected.

Configuration

Example

Example configuration:

---
security_tests:
  asp_net_view_state_encryption:
    skip: false

Reference

skip

Type : boolean

Skip the test if true.