This article is a part of our Web Security Knowledge Base (back to index)

Why Viewstate without MAC Signature (Unsure) can be dangerous

The Viewstate is a mechanism built into the .NET framework. It persists user's data between successive requests. The ViewState parameter is serialized and signed by the server to avoid being modified by the user. The message authentication code (MAC signature) is used for this purpose.

The Viewstate without MAC Signature (Unsure) error means that the MAC validation is missing for the Viewstate parameter. This can potentially lead to the user to arbitrarily modify the data sent in the ViewState parameter and processed on the server - that is a serious security risk.

How to fix Viewstate without MAC Signature (Unsure)

Review the contents of the ViewState and check whether it contains any critical items which can be manipulated to attack the application. To prevent any data manipulation, make sure that MAC signature is enabled by setting EnableViewStateMac property to true.

How does ScanRepeat report Viewstate without MAC Signature (Unsure)

ScanRepeat detects whether the website uses ASP.NET Viewstate and reports every page where the Viewstate may have the MAC signature disabled.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free