Taking a peek inside __VIEWSTATE

by on February 13, 2014


If you’ve ever viewed-source on a website that uses Microsoft technology like ASP or .NET, you may have noticed a massive blob of unintelligible text stored in a input field called __VIEWSTATE. What you’re seeing is actually a bunch of Base64 encoded data that gets passed back and forth between the server and the client. I don’t understand how anyone ever thought this was a good idea, but there are a ton of sites that still use this technique. Just check out some old enterprise applications or any Microsoft website and you’ll see what I mean. The United and US Airways websites are a couple other good examples. Unless the __VIEWSTATE is encrypted, you’ll be able to take a look inside using this simple bookmarklet:

javascript:xmp=document.createElement("xmp");
txt=document.createTextNode(atob(document.getElementsByName("__VIEWSTATE")[0].value));
xmp.appendChild(txt);
document.body.insertBefore(xmp,document.body.firstChild);

Drag this link to your toolbar to try it: Decode ViewState