This project is read-only.


NEW CHECK - detect when ASP.NET VIEWSTATE has MAC protection disabled


Identify when EnableMacValidation has been disabled. This check looks at ASP.NET VIEWSTATE values to detect when MAC protection has been disabled. If disabled, it's possible for attackers to tamper with the VIEWSTATE and create XSS attacks. More information is available from the advisory at

Using a similar method that Patrick Toomey uses in his ViewState encoder/decoder plugin for Fiddler: We can use the LosFormatter class to deserialize and then re-serialize the VIEWSTATE. When comparing both values (before and after) we look for a length difference of 20 bytes, or 32 bytes for .NET 4.0. LosFormatter.Serialize has an option to include a MAC. By default however it will not create a MAC, and will actually strip the MAC (last 20 or 32 bytes) off of the VIEWSTATE for us if it exists.
Closed Feb 24, 2010 at 9:00 PM by


chrisweber wrote Feb 24, 2010 at 8:59 PM

Checked in and passing all tests.