(content taken from different website(s))
The contents of ViewState are serialized using ‘LOSFormatter’ which performs ASCII serialization and encodes the output using Base64 encoding. There are lot of VIEWSTATE decoder available in the Internet. The VIEWSTATE is not encrypted by default its just simple Base64 encoding which can easily decoded with cool little tools.
How we can secure this ?
A hashcode will not secure the actual data within the ViewState field, but it will greatly reduce the likelihood of someone tampering with ViewState to try to spoof your application, that is, posting back values that your application would normally prevent a user from inputting.
You can instruct ASP.NET to append a hashcode to the ViewState field by setting the EnableViewStateMAC attribute:
<%@Page EnableViewStateMAC=true %>
EnableViewStateMAC can be set at the page or application level. Upon postback, ASP.NET will generate a hashcode for the ViewState data and compare it to the hashcode store in the posted value. If they don’t match, the ViewState data will be discarded and the controls will revert to their original settings.
By default, ASP.NET generates the ViewState hashcode using the SHA1 algorithm. Alternatively, you can select the MD5 algorithm by setting <machineKey> in the machine.config file as follows:
<machineKey validation="MD5" />
You can use encryption to protect the actual data values within the ViewState field. First, you must set EnableViewStatMAC="true" , as above. Then, set the machineKey validation type to 3DES . This instructs ASP.NET to encrypt the ViewState value using the Triple DES symmetric encryption algorithm.
<machineKey validation="3DES" />