Making an
explicit reference will ensure that the viewstate is properly validated.
A final note about the integrity and confidentiality of viewstate and the effectiveness of
CSRF protections. As mentioned, the security contract concerning viewstate is stated ambiguously
in the documentation. Although the current mechanisms may be secure, there is
not guarantee that this will not change in a future release of ASP.Net or the .Net Framework.
To mitigate vulnerabilities related to viewstate, sensitive data should never be placed in the
viewstate, the viewstate integrity should not be relied upon, and a more comprehensive application-
specific CSRF protection token is recommended for .Net applications. And remember
that attackers will also pay close attention to this area in future versions of ASP.Net.
Chapter 5: .Net Security 131
Using Error Pages to View System Information
Popularity: 8
Simplicity: 8
Impact: 4
Risk Rating: 6
To help developers debug applications, ASP.Net will catch unhandled exceptions that
occur within the application and create a page listing the exception, which module it occurred
in, and whether source code is available will provide a listing of the code that
generated the exception.
Pages:
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260