HawkScan Test Info for Viewstate without MAC Signature (Unsure)

Viewstate without MAC Signature (Unsure)


Plugin Id: 10032


To remediate this vulnerability, the website should ensure that ASP.NET’s Viewstate is always accompanied by a MAC (Message Authentication Code) signature. This will help protect the integrity and authenticity of the Viewstate data.

To enable MAC signature for Viewstate in ASP.NET, the following steps can be taken:

  1. Enable Viewstate MAC in web.config: Add or modify the following configuration in the web.config file:

      <pages enableViewStateMac="true" />

    This configuration setting enables the MAC signature for Viewstate on all pages of the website.

  2. Verify Viewstate MAC on individual pages: In some cases, you may want to verify the MAC signature on specific pages only. To do this, set the EnableViewStateMac property to true on those pages:

    protected void Page_Load(object sender, EventArgs e)
        this.EnableViewStateMac = true;

    By enabling the MAC signature on individual pages, you have more control over which pages require the signature.


ASP.NET’s Viewstate is a mechanism used to persist state information between web requests. It stores the values of controls and other page-specific data in a hidden field on the page. By default, ASP.NET automatically adds a MAC signature to the Viewstate to ensure its integrity and prevent tampering.

However, in this case, the website is using Viewstate without any MAC signature. This means that the Viewstate data is not protected against modifications or tampering. Without the MAC signature, an attacker could potentially modify the Viewstate data, leading to security vulnerabilities such as session hijacking, data tampering, or replay attacks.


The risks associated with using Viewstate without a MAC signature include:

  1. Data tampering: Without the MAC signature, an attacker can modify the Viewstate data, potentially leading to unauthorized changes in the application’s state or behavior.

  2. Session hijacking: By tampering with the Viewstate, an attacker may be able to hijack a user’s session and impersonate them, gaining unauthorized access to sensitive information or performing malicious actions on their behalf.

  3. Replay attacks: Without the MAC signature, an attacker could capture and replay a valid Viewstate, potentially bypassing security measures and performing actions on behalf of the original user.

It is important to address this vulnerability by enabling the MAC signature for Viewstate to ensure the integrity and security of the application’s state data.