The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

when the EnableViewStateMac option is set.

Even if the ViewState parameter is properly protected to prevent tampering,

it may still contain sensitive data stored by the application that could be of use

to an attacker. You can use the ViewState deserializer in Burp Proxy to decode

and render the ViewState on any given page to identify any sensitive data it

contains, as shown in Figure 5-4.

Figure 5-4:  Burp Proxy can decode and render the ViewState, allowing you to review its

contents and edit these if the EnableViewStateMac option is not set.