ViewsState is not Encrypted
Description
The application transmits the __VIEWSTATE parameter without encryption on one or more pages. ViewState is a hidden field used by ASP.NET to maintain page state between postbacks and may contain sensitive application data, control properties, or user-specific information. Without encryption, this data is only base64-encoded, making it easily readable by anyone who intercepts or views the page source.
Remediation
Enable ViewState encryption for all pages that store sensitive data in ViewState. This can be configured at the page level or application-wide:
1. Page Level Configuration: Set the ViewStateEncryptionMode property in the page directive or code-behind:
<%@ Page ViewStateEncryptionMode="Always" %>Or in code-behind:
protected override void OnInit(EventArgs e)
{
ViewStateEncryptionMode = System.Web.UI.ViewStateEncryptionMode.Always;
base.OnInit(e);
}2. Application-Wide Configuration: Add the following to web.config within the <system.web> section:
<pages viewStateEncryptionMode="Always" />
3. For ASP.NET 4.5 and later, ensure you are using the improved cryptographic algorithms by verifying the machineKey configuration uses modern encryption methods.
Note: ViewStateEncryptionMode options are "Always" (recommended for sensitive data), "Auto" (encrypts only when requested by controls), or "Never" (not recommended).