Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
ASP.NET Misconfiguration: ViewStateMac Disabled
Abstract
Disabling the view state message authentication check (MAC) can allow attackers to modify the View State.
Explanation
In ASP.NET, the view state is a mechanism to persist state in web forms across postbacks. Data stored in the view state is not trustworthy because there is no mechanism for preventing replay attacks. Trusting the view state is particularly dangerous when the view state message authentication check is disabled. Disabling this check allows attackers to make arbitrary changes to the data stored in the view state and can open the door for attacks against code that trusts the view state. Attackers might use this kind of error to defeat authentication checks or alter item pricing.
References
[1] Understanding ASP.NET View State Microsoft
[2] Michal Zalewski ASP.NET __VIEWSTATE crypto validation prone to replay attacks
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 353
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[19] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 2.2.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 2.2.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 2.2.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 2.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 2.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 2.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 2.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.dotnet.asp_dotnet_misconfiguration.viewstatemac_disabled