Is it possible to decrypt and view ViewState values?

asp.net security viewstate
Abe Miessler picture Abe Miessler · Apr 14, 2010 · Viewed 23.8k times · Source

I know there are tools out there that will let you see the content of asp.net viewstate. Is it possible to see and modify the content of viewState if it has been encrypted by adding the <machineKey ... /> node to the web.config?

Answer

Thomas picture Thomas · Apr 14, 2010

Sure. ViewState is simply base64 encoded (unless you specify that it should be encrypted). Here's a link to someone that wrote a ViewState viewer. Here's another by Fritz Onion. You probably will not be able to directly modify the ViewState (i.e. outside of code) because ASP.NET has checks in place to specifically ensure that nothing has tampered with the ViewState. See the EnableViewStateMAC setting for more.

Update

Thanks to link rot, the links to the various viewers are no longer valid. However, a simple search for "viewstate viewer" can find others on the Internet such as ASP.NET ViewState viewer

Related questions

hidden field vs viewstate

What is the difference when using Hidden field vs View state? When to use each one ? Which one more secure? Which is better in performance? what are the alternatives?

Read More
Is my VIEWSTATE encrypted?

I'm a little confused. I haven't explicitly set the Web.config <pages ViewStateEncryptionMode="Always" />, and so this MSDN page says that it should default to Auto. This MSDN page says that Auto should cause the viewstate information to …

Read More
What are all the user accounts for IIS/ASP.NET and how do they differ?

Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. …

Read More