Http Unencrypted Viewstate
Description
Detects unencrypted ASP.NET viewstate parameters in web applications. Unencrypted viewstates can expose sensitive server-side application state data to potential attackers, allowing them to view and potentially manipulate the application's state information. This is particularly critical for applications handling sensitive data or requiring strong security controls.
Detection Strategy
• Examines HTML responses for input elements named '__VIEWSTATE'
• Checks if the viewstate value can be decoded without encryption
• Reports a vulnerability if an unencrypted viewstate is found in the page content
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.