Basically, by default ViewState is just Base64-encoded, so you can decode it as long as the administrator hasn't configured the site to encrypt it. The following machineKey section shows By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. property has been set to Always. the __VIEWSTATE parameter does not need to be encrypted when Follow I'm guessing something has changed - the textbox at the bottom left is a command prompt of some kind, and pasting in viewstate does nothing useful. A small Python 3.5+ library for decoding ASP.NET viewstate. The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie We've added a "Necessary cookies only" option to the cookie consent popup. The enterprise-enabled dynamic web vulnerability scanner. Is it possible to decode EventValidation and ViewState in ASP.NET? The Viewstate decoder accepts Base64 encoded .NET viewstate data and returns the decoded output in the form of plain Python objects. of viewstate MAC failed). should be noted that most scanners do not attempt to send an unencrypted This information is then put into the view state hidden . Do not hard-code the decryption and validation keys in web.config file. Work fast with our official CLI. In case there are any remaining bytes after parsing, they are assumed to be HMAC signatures, with the types estimated according to signature length. Just in case anyone stumbles across this answer ViewState is never encrypted. Quoting from my previous answer: If you are writing the control for your own consumption and you only need to read from ViewState, you could do so, but I wouldn't . The Viewstate decoder accepts Base64 encoded .NET viewstate data and returns the decoded output in the form of plain Python objects.