Pen test blind SQL injection and viewstate error

Question

I have an asp.net web app that's going through a pen test by internal IT. They are using IBM AppScan to run scans against the web app. One of the errors that keeps coming up is viewstate input field related. The tool modifies the viewstate and sends it back to the server. The server throws an error then catch and redirect the user generic error handling screen. AppScan marks this as a blind SQL injection.

I'm explaining this to the IT security guys. I tell them that the best thing I can do is catch the error and return an error screen to the user. They are insisting that there's some kind of SQL injection going on.

What other way or method do you recomend for this kind of situation? How do others handle this? If a user deliberately changes the viewstate isn't an error screen the best reply?

Answer 1

If the phrase:

Look! Here's the damned error record I logged! You can clearly see, the application is unhappy because of invalid view state. Which is correct, because your viewstate was not valid! If you think you've performed a SQL injection, please tell me what SQL you think you injected! Look, here's a SQL trace I took at the same time! Show me the SQL. SHOW ME THE SQL!

doesnt work, then... I dunno, maybe don't use viewstate? That'll stop 'em...

Another option would just be: log the fault internally, and just log them out.