Taking a peek inside __VIEWSTATE

If you’ve ever viewed-source on a website that uses Microsoft technology like ASP or .NET, you may have noticed a massive blob of unintelligible text stored in a input field called __VIEWSTATE. What you’re seeing is actually a bunch of Base64 encoded data that gets passed back and forth between the server and the client. I don’t understand how anyone ever thought this was a good idea, but there are a ton of sites that still use this technique. Just check out some old enterprise applications or any Microsoft website and you’ll see what I mean. The United and US Airways websites are a couple other good examples. Unless the __VIEWSTATE is encrypted, you’ll be able to take a look inside using this simple bookmarklet:


Drag this link to your toolbar to try it: Decode ViewState