Unencrypted __VIEWSTATE parameter

Description
  • The __VIEWSTATE parameter is not encrypted. To reduce the chance of someone intercepting the information stored in the ViewState, it is good design to encrypt the ViewState. To do this, set the machineKey validation type to AES. This instructs ASP.NET to encrypt the ViewState value using the Advanced Encryption Standard.
Remediation
  • Open <span class="bb-dark"><strong>Web.Config</strong></span> and add the following line under the <span class="bb-dark"><strong><system.web></strong></span> element: <br/><pre><machineKey validation="AES"/> </pre>