I know there are tools out there that will let you see the content of asp.net viewstate. Is it possible to see and modify the content of viewState if it has been encrypted by adding the <machineKey ... />
node to the web.config?
You can check viewstate on executed ASP.NET page by viewsource from browser. There you can find _VIEWSTATE kind of hidden field. ViewState increases the size of the page because page and page control value store in it.
ViewState is always encrypted. When working with sensitive data, it is a good practice to utilize encryption. The mode is a property on page, but is set using either a page directive or in the web. config file for the application.
View state is the method that the ASP.NET page framework uses to preserve page and control values between round trips. When the HTML markup for the page is rendered, the current state of the page and values that must be retained during postback are serialized into base64-encoded strings.
Sure. ViewState is simply base64
encoded (unless you specify that it should be encrypted). Here's a link to someone that wrote a ViewState viewer. Here's another by Fritz Onion. You probably will not be able to directly modify the ViewState
(i.e. outside of code) because ASP.NET has checks in place to specifically ensure that nothing has tampered with the ViewState
. See the EnableViewStateMAC setting for more.
Update
Thanks to link rot, the links to the various viewers are no longer valid. However, a simple search for "viewstate viewer" can find others on the Internet such as ASP.NET ViewState viewer
Please take a look into here How to decode viewstate I have provided full source code to get StateBag from viewstate string. Encrypted states are also possible to decrypt using same method but assigning keys.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With