Unencrypted view state in ASP.NET 2.0 could leak sensitive information
Description
The application uses the ASP.NET 2.0 view state (__VIEWSTATE) feature without encryption to maintain application state. The view state can be protected from tampering by using either encryption or signing. If only signing is used (without encryption), then the internal value of the view state parameter can be exposed simply by Base64-decoding it.
In a well-designed application, the view state should never contain any sensitive information. However, application designers have been known to put passwords and other sensitive data inside the view state. Therefore, it is a good idea to always use view state encryption in ASP.NET applications.
Solution(s)
- fix-http-asp-dot-net-unencrypted-viewstate
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center