Cryptography / Viewstate without Mac Enabled

Web and API


ASP.NET ViewState without MAC enabled is a cryptography vulnerability, classified under CWE-352, that occurs in web and API applications. It occurs when the application does not properly validate the ViewState data transmitted between the client and the server, enabling malicious users to tamper with the contents of the ViewState. This can lead to various attacks such as Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and other attacks. The OWASP Testing Guide provides guidance on how to identify and test for this vulnerability.


This vulnerability can lead to a wide range of attacks, depending on the context of the application. If the application relies on the ViewState for important operations, such as user authentication or authorization, it could lead to an attacker gaining access to sensitive data. This could result in data breaches, financial damage, and reputational damage.


The first step to solving this vulnerability is to enable Message Authentication Code (MAC) validation on the ViewState. This ensures that the ViewState data is not tampered with, and can be validated by the server. Additionally, developers should always ensure that ViewState data is properly encoded and encrypted, and that the data is only used where necessary - any unnecessary ViewState data should be removed to reduce the attack surface.


The following example is taken from CVE-2018-8174. It shows an ASP.NET application with ViewState without MAC enabled, allowing attackers to modify the ViewState data:

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="dDwzMTE5MTY4ODY7O2w8aTwxPjs+O2w8dDw7bDxpPDA+Oz47bDx0PDtsPGk8MT47PjtsPHQ8O2w8aTwwPjs+O2w8dDxwPHA8bDxvbmNsaWNrOz47bDx3aW5kb3cuY2xvc2UoKTs7Pj47Pjs7Pjt0PDtsPGk8MD47PjtsPHQ8cDxwPGw8b25jbGljazs+O2x8d2luZG93LmNsb3NlKCk7Oz4+Oz47Oz47Pjs7Pjt0PHA8cDxsPG9uY2xpY2s7PjtsfHdpbmRvdy5jbG9zZSgpOzs+Pjs+Ozs+O3Q8cDxwPGw8b25jbGljazs+O2x8d2luZG93LmNsb3NlKCk7Oz4+Oz47Oz47dDxwPHA8bDxvbmNsaWNrOz47bHx3aW5kb3cuY2xvc2UoKTs7Pj47Pjs7Pjt0PEAwPHA8cDxsPFRleHQ7PjtsPEFzc2V0cyBJbnN0YW50aWF0aW9uIFN0YXR1czs+Pjs+Ozs+O3Q8QDA8cDxwPGw8VGV4dDs+O2w8Q3VycmVuY3k7Pj47Pjs7Pjt0PEAwPHA8cDxsPFRleHQ7PjtsPFRvdGFsIEluc3RhbnQgQXNzZXRzOz4+Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxUaGUgVmlld1N0YXRlIGRhdGEgd2FzIG5vdCB2YWxpZGF0ZWQgd2l0aCBhIE1lc3NhZ2UgQXV0aGVudGljYXRpb24gQ29kZSAoTUFDKTs+Pjs+Ozs+O3Q8QDA8cDxwPGw8VGV4dDs+O2w8U3VtbWFyeTs+Pjs+Ozs+Oz4+Oz4+Oz7YFyf8GzBp0JwF54ZKfjZlXlGQ==" />

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.