Identify when EnableMacValidation has been disabled. This check looks at ASP.NET VIEWSTATE values to detect when MAC protection has been disabled. If disabled, it's possible for attackers to tamper with the VIEWSTATE and create XSS attacks. More information
is available from the advisory at
Using a similar method that Patrick Toomey uses in his ViewState encoder/decoder plugin for Fiddler:
. We can use the LosFormatter class to deserialize and then re-serialize the VIEWSTATE. When comparing both values (before and after) we look for a
length difference of 20 bytes, or 32 bytes for .NET 4.0. LosFormatter.Serialize has an option to include a MAC. By default however it will not create a MAC, and will actually strip the MAC (last 20 or 32 bytes) off of the VIEWSTATE for us if it exists.