Rapid7 Vulnerability & Exploit Database

Unencrypted view state in ASP.NET 2.0 could leak sensitive information

Back to Search

Unencrypted view state in ASP.NET 2.0 could leak sensitive information

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
10/31/2007
Created
07/25/2018
Added
11/26/2007
Modified
02/13/2015

Description

The application uses the ASP.NET 2.0 view state (__VIEWSTATE) feature without encryption to maintain application state. The view state can be protected from tampering by using either encryption or signing. If only signing is used (without encryption), then the internal value of the view state parameter can be exposed simply by Base64-decoding it.

In a well-designed application, the view state should never contain any sensitive information. However, application designers have been known to put passwords and other sensitive data inside the view state. Therefore, it is a good idea to always use view state encryption in ASP.NET applications.

Solution(s)

  • fix-http-asp-dot-net-unencrypted-viewstate

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;