Loading ViewState Decoder...
Decode an unencrypted ASP.NET __VIEWSTATE into a readable tree, and detect whether it is encrypted or MAC-signed. Runs entirely in your browser.
ASP.NET Web Forms stores page state in a base64 __VIEWSTATE field, serialized by the LosFormatter / ObjectStateFormatter. It can be plain, MAC-signed for integrity, or encrypted. Reading it reveals control state and helps assess whether a site is exposed to ViewState tampering or deserialization attacks. This tool decodes the unencrypted format into a structured tree and reports the protection in place.
Input:
/wEPDwUKLTEyNzU0Mzc4OWRk
Output:
Pair(Pair("-127543789", null), null)Why can't it decode some ViewState?
If the ViewState is encrypted (no 0xFF 0x01 header) it needs the application's machine key, which the tool does not have. Only unencrypted ViewState can be parsed.
What does the MAC tell me?
A trailing MAC means ViewState MAC is enabled, so the value is integrity-protected. No MAC on an unencrypted ViewState is a classic tampering and deserialization risk.
Does it cover every type?
It handles the common LOS tokens (pairs, triplets, strings, arrays, primitives). Exotic or binary-serialized members may not be fully expanded and are reported as unsupported.
Is anything uploaded?
No. Decoding runs entirely in your browser.
Decode an unencrypted __VIEWSTATE (LosFormatter / ObjectStateFormatter) into a readable tree, and detect whether it is encrypted or MAC-signed. Everything runs in your browser.
Parses the LOS ObjectStateFormatter format (Pair, Triplet, strings, arrays and primitives). A trailing MAC indicates ViewState MAC protection; a missing 0xFF 0x01 header indicates encryption. Useful for spotting ViewState that is unprotected against tampering.