Security issues on viewstate

Question

I am resolving some security concerns for our application and we have ViewStateEncryptionMode set to true (at web.config). I noticed there is still a _VIEWSTATE field and now a new field on the form _viewstateencrypted. I have two questions:

1. Does this mean the viewstate can still be hacked or will asp.net recognise and only use the encrypted field.
2. I get a OWASP ZAP security issue to say they find an injection issue with the viewstate by appending text. How do I resolve this?

Thanks in Advance

Answer 1

The VIEWSTATE is a security risk if it is not encrypted (anyone could modify the VIEWSTATE values and POST to your pages.)

To see it is encrypted, go here and paste your VIEWSTATE value: http://ignatu.co.uk/ViewStateDecoder.aspx

If that page can decode the VIEWSTATE then it is not encrypted.

To 'secure' your VIEWSTATE you need to set the following in your web.config:

<pages enableViewState="true" enableViewStateMac="true">

Answer 2

Hard to say without more information, but here are a few random guesses:

• ViewStateEncryptionMode can't be set to true?? I guess you mean 'Always', MSDN reference

• If ViewStateEncryptionMode is Always, yes your viewstate is encrypted. This should hide the information it contains from prying eyes.

• If you don't need to hide the viewstate content, but want to prevent tampering (i.e. modification) you can set enableViewStateMac='true'. This adds a cryptographic hash to check if the content was tampered with. See MSDN documentation for more details. Both this and ViewStateEncryptionMode can be active at the same time if you want to.

• Most probably you are seeing a false positive from OWASP ZAP. Does your encoded viewstate contain strings such as SQL, JDBC or ODBC? See this bug.

• The message reminds me vaguely of the padding oracle exploit. Is your server patched with MS10-070? Note that this is old stuff, the exploit was found and patched in 2010.