Reputation: 31
enableViewStateMac="true" FAILS to Validate _ViewState
I have my web application where I have set the enableViewStateMac="true" under attribute in web.config. I was trying to validate different security aspects of view state.
However, there is one scenario, where enableViewStateMac="true" fails to validate the _ViewState has been changed. I am using the "TamperData" plugin of Firfox browser. Using Tamperdata, I completely remove the value of _VIEWSTATE and then POST the web request. The POST request gets posted successfully and page redirects to the next page successfully without any error.
Though, as per my knowledge and security testing so far for enableViewStateMac="true", It seems to me the EnableViewStateMac only works/validate weather _VIEWSTATE is being tampered or not. But it doesn't validate if _VIEWSTATE Value is being deleted/removed completely.
Is there is a way I can validate this also (that is if someone has completely removed the value of _VIEWSTATE)?
Thanks in advance, Happy coding :)
Upvotes: 3
Views: 435
Answers (1)
Reputation: 32818
When the page is generated, store a value in ViewState. Then, on post back, read that value back out. If __VIEWSTATE isn't present you'll receive a null value back at read time.
Upvotes: 1
Related Questions
- Asp.net EnableViewStateMac and malicious code [December security updates]
- Validation of viewstate mac failed - but only on occasion
- enableViewStateMac Error
- EnableViewStateMac="false" why is it even an option?
- asp.net viewstate security
- EnableViewStateMac Documentation Warning?
- ViewState EnableViewStateMAC
- enableviewstatemac=true
- Validation of Viewstate MAC fails ASP.Net 2.0 SP2
- ASP.Net 1.1 Viewstate Security