Description

ViewStateUserKey was not set on this web application. ViewStateUserKey helps you prevent one-click attacks (CSRF) by providing additional input to create the hash value that defends the view state against tampering. In other words, ViewStateUserKey makes it much harder for hackers to use the content of the client-side view state to prepare malicious posts against the site. The property can be assigned any non-empty string, preferably the session ID or the user's ID. When the request is processed, ASP.NET extracts the key from the view state and compares it against the ViewStateUserKey of the running page. If the two match, the request is considered legitimate; otherwise an exception is thrown.

Remediation

Here's the code you need to have in all of your pages:

void Page_Init (object sender, EventArgs e) {
   ViewStateUserKey = Session.SessionID;
}

References

Related Vulnerabilities