ViewStateMac is Not Enabled
Description
The application has ViewState Message Authentication Code (MAC) validation disabled, which removes cryptographic integrity protection from the ViewState parameter. ViewState is used by ASP.NET to preserve page and control state across postbacks. Without MAC validation enabled, attackers can modify the ViewState data without detection, potentially injecting malicious values or altering application state.
Remediation
Enable ViewState MAC validation to ensure cryptographic integrity of ViewState data. This can be configured at the page level or application level:
Page Level Configuration:
Add the EnableViewStateMac attribute to the Page directive:
<%@ Page EnableViewStateMac="true" %>
Application Level Configuration (Recommended):
Set the property in the web.config file to enforce it across all pages:
<configuration>
<system.web>
<pages enableViewStateMac="true" />
</system.web>
</configuration>For ASP.NET 4.5.2 and later, also ensure the
viewStateEncryptionMode is set to "Always" for sensitive applications:<pages enableViewStateMac="true" viewStateEncryptionMode="Always" />
After making these changes, test the application thoroughly to ensure all postback functionality works correctly.