ASP.NET viewstate encryption disabled
Description
The ASP.NET application has ViewState encryption disabled by setting the viewStateEncryptionMode property to Never in the web.config file. ViewState is a mechanism that preserves page and control state across postbacks, and when encryption is disabled, this data is only base64-encoded, making it easily readable by anyone who intercepts or views the page source. If the ViewState contains sensitive information such as user data, session details, or application state, this configuration exposes that data to unauthorized access.
Remediation
Enable ViewState encryption by modifying the viewStateEncryptionMode property in the web.config file. Set this property to Auto (encrypts ViewState when controls request it) or Always (encrypts ViewState for all pages). The recommended approach is to use Auto for most applications, or Always if ViewState consistently contains sensitive data.
Configuration Example:
<configuration>
<system.web>
<pages viewStateEncryptionMode="Auto" />
</system.web>
</configuration>Additionally, review your application code to minimize storing sensitive data in ViewState. Consider using server-side session state or secure cookies for sensitive information instead.