JavaScript ViewState Parser

I completed the first version of a JavaScript-based ViewState decoder.

The parser should work with most non-encrypted ViewStates. It doesn’t handle the serialization format used by .NET version 1 because that version is sorely outdated and therefore too unlikely to be encountered in any real situation.

I’m working on a version to decode encrypted ViewState. That version will require knowledge of the decryption key. (While creating a brute-forcer in JavaScript to guess the decryption key might be interesting from a development perspective, it’s utility is questionable and success improbable.)

The next step will be the ability to edit the ViewState contents and re-serialize it.

If you encounter any problems, feel free to ask questions or post troublesome ViewStates in the comments below.

Published by Mike Shema

Security, RPGs, and writing. Immersed in music (80s), sci-fi (dystopian), and horror (spooky). #synthwave Host of the Application Security Weekly podcast.