问题
I know there are tools out there that will let you see the content of asp.net viewstate. Is it possible to see and modify the content of viewState if it has been encrypted by adding the <machineKey ... /> node to the web.config?
回答1:
Sure. ViewState is simply base64 encoded (unless you specify that it should be encrypted). Here's a link to someone that wrote a ViewState viewer. Here's another by Fritz Onion. You probably will not be able to directly modify the ViewState (i.e. outside of code) because ASP.NET has checks in place to specifically ensure that nothing has tampered with the ViewState. See the EnableViewStateMAC setting for more.
Update
Thanks to link rot, the links to the various viewers are no longer valid. However, a simple search for "viewstate viewer" can find others on the Internet such as ASP.NET ViewState viewer
回答2:
Please take a look into here How to decode viewstate I have provided full source code to get StateBag from viewstate string. Encrypted states are also possible to decrypt using same method but assigning keys.
回答3:
Edit: Here's a new link for an online viewstate decoder, since the original one is no longer available.
https://www.httpdebugger.com/Tools/ViewstateDecoder.aspx
Original:
I like this view state decoder. Very easy to use.
removed outdated link
来源:https://stackoverflow.com/questions/2638671/is-it-possible-to-decrypt-and-view-viewstate-values