Skip to content

Configuration: ASP.NET ViewState MAC Validation Disabled¶

Identifier: asp_net_view_state_mac_validation_disabled

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

ASP.NET ViewState without MAC validation can be tampered with by attackers, potentially allowing arbitrary code execution, value manipulation, or user switching.

How we test: We analyze ASP.NET ViewState data in responses to detect if MAC validation is disabled. We check ViewState configuration and attempt to modify ViewState values to verify if tampering protection is properly enabled.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  asp_net_view_state_mac_validation_disabled:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.