StackHawk Documentation StackHawk Logo HawkDocs
vulnerabilities
90001

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc
Back to Index

Insecure JSF ViewState

Reference
Plugin ID: 90001 CWE: 642 WASC: 14 Unknown Passive Insecure Design

Remediation

  1. Enable ViewState MAC: Configure the application to enable Machine Authentication Check (MAC) on ViewState data.
  2. Implement encryption: Enable ViewState encryption to protect sensitive state information from tampering.
  3. Use strong keys: Ensure strong, application-specific keys are used for ViewState protection.
  4. Validate configuration: Verify that ViewState protection is properly configured in web.config or application settings.
  5. Regular testing: Periodically test ViewState security to ensure protections remain effective.

About

Insecure JSF ViewState occurs when web applications expose ViewState data without proper cryptographic protections such as Message Authentication Codes (MAC) or encryption. This allows attackers to potentially tamper with application state, manipulate user sessions, or perform unauthorized actions.

Risks

High Unprotected ViewState can enable state tampering attacks, session manipulation, privilege escalation, and unauthorized access to application functionality through ViewState deserialization vulnerabilities.

Your privacy settings

We use first and third party cookies to ensure that we give you the best experience on our website and in our products.

Privacy Policy