Skip navigation
992 Views 1 Reply Latest reply: Apr 20, 2012 1:25 PM by WillB RSS
Matthew Mangold Lurker 1 posts since
Apr 20, 2012
Currently Being Moderated

Apr 20, 2012 12:54 PM

.netviewstate and encryption

While scanning one of our web applications I got an vulnerability that stated .netviewstate was not encrypted.  Is this a big deal if you are using SSL? 

  • WillB Level 4 294 posts since
    May 2, 2011
    Currently Being Moderated
    Apr 20, 2012 1:25 PM (in response to Matthew Mangold)
    .netviewstate and encryption

    SSL protects you from others seeing a user's traffic, but in these case you are trying to protect your application from the user viewing or altering information that is contained in the request.  So the SSL doesn't really help since it is the user you are worried about (think malicious user).

     

    The viewstate can contain information that is passed along during a session and in some cases could contain data that you don't want to have the user be able to see or modify from request to request.  This is a rare situation as most data contained in a viewstate will not be of much significance.  But the best practice is to encrypt the viewstate to protect against the rare situation in which it may have sensitive information or allow modification in a way that would cause the application an issue.  Encryption keeps the user from being able to read or tamper with the viewstate information.  There really is no good reason not to encrypt except that it takes a few extra CPU cycles to perform the encryption.

     

     

    Hope this helps

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points