Description

This web application is configured with the pages property viewStateEncryptionMode set to Never. When configured this way, the viewstate encryption is disabled and it's possible to see the base64-encoded data stored in the viewstate. If sensitive data is stored in the state it's recommended to enable viewstate encryption.

Remediation

It's recommended to enable viewstate encryption by setting the page property viewStateEncryptionMode to Auto or Always.

<pages viewStateEncryptionMode="Auto">

References

Related Vulnerabilities