If so, click to download 15 days full version for free!
ViewState is one of the most important aspects of ASP.NET WebForms applications. However, it is also one of the most confusing aspects. ViewState is a technique for storing changes in dynamic web pages during user interaction with the application server. Even though used with POST requests with right parameters being sent, a GET request can also carry a ViewState.
ViewState is stored in a hidden HTML value;
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="..." />
The integrity of the data stored in ViewState is secured using a message authentication code in which a secret key is used to ensure that no attacker tampers with the VIEWSTATE data. The important thing is that the secrecy isn’t important but the integrity. In order to provide that integrity MAC shouldn’t be disabled. The below configuration disables message authentication code applied to the VIEWSTATE and allows attackers to tamper the viewstate data.
<configuration> <system.web> <pages enableViewStateMac="False" /> </system.web> </configuration>
The MAC can also be disabled in aspx pages individually;
<%@ Page EnableViewStateMac="false" %>
If so, click to buy now for yearly subscriptions!