Description

EnableViewStateMac is turned off for this web application. View state MAC checking is controlled through a @Page directive attribute named EnableViewStateMac. EnableViewStateMac it is set to true by default. Never ever disable it; it would make view state tampering one-click attacks possible and with great chances of success. By default, the view state is Base64-encoded and signed with a hash value to prevent tampering. Unless you change default page settings, the view state is not at risk of tampering. If an attacker modifies the view state, or even if he/she rebuilds the view state using the right algorithm, ASP.NET catches the attempt and throws an exception. A tampered view state is not necessarily harmful it modifies the state of server controls, though but can become the vehicle of serious infections. For this reason, it is of extreme importance that you do not remove the machine authentication code (MAC) cross-checking that takes place by default.

Remediation

EnableViewStateMac should be set to true for protection against view state tampering.

References

Related Vulnerabilities