View state MAC disabled

Description

View state MAC does not appear to be enabled on this page. View state MAC setting determines whether ASP.NET should check message authentication code (MAC) in the page's view state when the page is posted back from the client. When view state MAC is disabled, an attacker can modify the value of the view state and resubmit the modified value.

Remediation

You can enable view state MAC by setting the enableViewStateMac property to true using a code similar to the one below.

<pages enableViewStateMac="true" />

References
Severity
Classification
Tags
  • Configuration