Skip to content

View State Mac Disabled

What does this mean ?

The ViewState is a method integrated into the ASP.NET framework for saving user interface elements and other data between requests. The server serializes the data to be saved and sends it via a hidden form field. The ViewState parameter is deserialized and the data is obtained when it is submitted back to the server. The serialized value is signed by the server by default to prevent user manipulation; however, this behavior may be deactivated by setting the Page. Set the setting EnableViewStateMac to false.

What can happen ?

If this is done, an attacker can alter the ViewState's contents, causing arbitrary data to be deserialized and handled by the server. If the ViewState contains any items that are crucial to the server's processing of the request, this might lead to a security vulnerability.

Recommendation

There is no compelling reason to stop the normal ASP.NET practice of signing the ViewState to prevent tampering. You should configure the Page to guarantee that this happens. On any pages where the ViewState is not presently signed, set the EnableViewStateMac attribute to true.

Sample Code

Vulnerable :

<system.web>
  ...
  <pages [..] enableViewStateMac="false" [..]/>
  ...
</system.web>

Non Vulnerable :

<system.web>
  ...
  <pages [..] enableViewStateMac="true" [..]/>
  ...
</system.web>

References