What is Unencrypted VIEWSTATE PARAMETER?

Unencrypted Viewstate is a vulnerability that is mostly found in Asp.net webapplications. Unencrypted viewstate helps the attacker to attack the website by having control on the viewstate of the application and thus gathering sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations.
Viewstate is a state management mechanism to maintain the state of the pages by storing the page value at the time of Postback. The type of viewstate is System.Web.UI.StateBag which is a Asp.Net dictionary to store the values.

How to secure Viewstate?
To secure the viewstate and not giving chance to attacker to intercept, we must use the following encryptions:
1.Tamper Proofing --> It is a techinque to add Hashcode to viewstate by setting the MAC(Message Authentication Code) attribute.
<%@Page EnableViewStateMac=True %>
By default, Asp.Net generates the ViewState hashcode by using SHA1 Hash algo. Alternatively, you can select the MD5 algorithm by setting in the machine.config file as follows:
<machinekey validation="MD5">
 
2.Encryption --> Encryption is used to protect data values within ViewState.In encryption process first we have to make the MAC value to True as in the above given point and then set Machinekeyvalidation to 3DES.
<machinekey validation="3DES">
 
3.Providing Validation Key to validate ViewState.The Validation key is 40 to 128 hexadecimal characters.For Example:
<machinekey validation = "SHA1" validation key = "HAHHUYAT67JJKLAAITGNAH7899KJAUYTGHAHHJK1678LKAHNBVCAGCZDGAU89IOKHGG"/> 

General Fix Recommendation for Unencrypted_Viewstate:
Add <machinekey validation="3DES"/> to web.config file under <system.web> element
 

Continue reading →