026 – Encrypt client-side session information

Summary

The system must encrypt and verify client-side session information (ViewState).

Description

Using client-side encryption makes it less likely for the data session to be intercepted by hostile third parties.

Supported In

Essential: True

Advanced: True

References

• CAPEC-39. Manipulating opaque client-based data tokens
• CAPEC-74. Manipulating state
• CWE-642. External control of critical state data
• CERTJ-LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy
• CERTJ-MSC11-J. Do not let session information leak within a servlet
• MITRE-M1041. Encrypt sensitive information
• CMMC-AC_L2-3_1_19. Encrypt CUI on mobile
• CMMC-CM_L2-3_4_9. User-installed software
• OWASPSCP-5. Access control
• NIST800171-1_19. Encrypt CUI on mobile devices and mobile computing platforms
• ASVS-1_8_2. Data protection and privacy architecture
• CWE-13. Misconfiguration - Password in configuration file
• ASVS-4_1_2. General access control design
• CASA-1_8_2. Data Protection and Privacy Architecture
• CASA-4_1_2. General Access Control Design

Weaknesses

• 036 – ViewState not encrypted

Last updated

2023/09/18