ASP.NET ViewState attacks TL;DR: Unencrypted or weak-key ViewState — deserialise to RCE, or tamper to alter server-side state. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/