The remote .NET application stores state information within a hidden form field.
Description
The remote .NET application stores state information within a hidden form field. Further, the information is not hashed. Given this, an attacker can modify the ViewState string in transit and possibly alter the state or output of the .NET application.
Solution
Enable hashing of the ViewState string. This can be accomplished by setting 'enableViewStateMac="true"' in the configuration file. See the referenced MSDN article for more information.
