Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
ASP.NET viewstate encryption disabled - Vulnerability Database

ASP.NET viewstate encryption disabled

Description

This web application is configured with the pages property viewStateEncryptionMode set to Never. When configured this way, the viewstate encryption is disabled and it's possible to see the base64-encoded data stored in the viewstate. If sensitive data is stored in the state it's recommended to enable viewstate encryption.

Remediation

It's recommended to enable viewstate encryption by setting the <strong>page</strong> property <strong>viewStateEncryptionMode</strong> to <strong>Auto</strong> or <strong>Always</strong>. <pre> &lt;pages viewStateEncryptionMode=&quot;Auto&quot;&gt; </pre>

References

ViewStateEncryptionMode

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration Information Disclosure
Nuxt.js Running in Development Mode Low
Common tags: Configuration Information Disclosure
Laravel Terminal open High
Common tags: Configuration Information Disclosure
Core dump file High
Common tags: Configuration Information Disclosure
GoCD information disclosure (CVE-2021-43287) High
Common tags: Configuration Information Disclosure

Severity

Medium

Classification

CWE-16
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration
Information Disclosure