Details
Alert ID 90001
Alert Type Passive
Status release
Risk Medium
CWE 642
WASC 14
Technologies Targeted All
Tags CWE-642
OWASP_2017_A06
OWASP_2021_A04
POLICY_PENTEST
POLICY_QA_STD
More Info Scan Rule Help

Summary

The response at the following URL contains a ViewState value that has no cryptographic protections.

Solution

Secure VIEWSTATE with a MAC specific to your environment.

Other Info

JSF ViewState [<input type="hidden" id="javax.faces.viewstate" value="1231"] is insecure.

References

Code

org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java