How to disable runtime input hidden field viewstate in ASP dot net page

Question

1.00/5 (1 vote)

See more:

It is possible to inject arbitrary HTML tags such as

KeYPptCOpRiLl8Nut+OyEi1KENO25Mat5hfECcdE7PQc/+yfdtK/kUF63b/q9jAREVEkPuVpNzjDn706IRbottF+ehOeZSRLIqd7aTQ8k3HYdLDSflNCQ8kA/+Hbpn9iHzoed1tphn2unPnd3SGFY19G6GqvQfdKCwh1WJVH70q43520XPdCOuXXtNrVaIQKkVrdZjOc7UH5ZEDinK/HBLQBmmqsPGm1kelrqZa9cgzuMNBVcduOKLw9xdJCos97kHZg0ZkfZNXQZM40snoRxDBfwunEfzP1gBbWWpdBj/ACybWDuvr3EFGAIJLo+DJjeBCKpM4i/BoeIaYhK6b+ko7nUSXmrzL4zozjCQr9mfkRp+sjK+/uZMac3qGf5FugO0QdHg==vc0d3(2362857338)

into the __VIEWSTATE parameter which results in JavaScript code being executed on error aspx page. This form of Cross-Site Scripting is considered persistent XSS due to the fact that once the injected data is sent to the server, it is stored and persists across requests. This can have varying consequences depending on where and to whom the inserted data is displayed. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.

run time I can see this value for viewstate

What I have tried:

I tried to make it false and true also in aspx page

EnableEventValidation="false" EnableViewState="false"

but issue is not getting fixed in Veracode platform . How can fix it

I tried this also made it True but nothing worked

Posted 11-Jun-24 23:59pm

Thirumadhi T Johnson

Updated 12-Jun-24 0:12am

Richard Deeming

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2024-06-12T00:17:00

It sounds like you're using an ancient version of .NET Framework - beginning with .NET 4.5.2, released in December 2013, the ViewState field(s) are encrypted and protected with a Message Authentication Code. And a patch released in September 2014 set ASP.NET to ignore the EnableViewStateMac setting and use the ASP.NET 4.5.2 encryption settings in all versions of ASP.NET going back to ASP.NET 1.1.

So if you are still able to tamper with the ViewState, that suggests your server is at least 10 years behind on its security patches. Which means you have much bigger problems to deal with!

Secure ASP.NET ViewState - .NET Blog[^]