[watermelon0]

I assume the idea behind __VIEWSTATE is that you don't have to save anything on the server side, which makes the whole architecture easier (no need for storage layer, sharing the secret between machines allows for load balancing), and you can support as many clients as possible, since you don't have to worry about the storage size.

__VIEWSTATE should be as secure as JSON Web Tokens, unless you manage to leak the secret (or as in this case, you use a shared one for all customers.)

I don't know why exactly did they choose to (de)serialize executable code, instead of using an XML or similar format, but similar choices were made (and later changed) with frameworks/libraries for other languages, so they are not the only one.

[danielheath]

There have been vulnerabilities in java and rails caused by deserializing arbitrary classes with given constructor parameters.

An attacker just has to find one that (e.g.) accepts a url and a filepath in its constructor and saves the file to that location, and you've (usually) got code execution (by eg overwriting something that gets run frequently).

[to11mtm]

I could have some of the specifics wrong here, especially since it's been forever...

But the problem is there are some things that needed to be serialized for things like .NET remoting or firing stuff across appdomains. Things like Delegates.

Now, I -think- the intent, back in the day that ASP.NET was created, to use Code Access Security/Security Transparent Code (CAS/STC) to safely put a system like this together. But CAS/STC is pretty easy to do 'wrong' and a lot of people, rather than setting up the correct LinkDemands for individual items like Database, File IO, ETC on the specific endpoints, would just toss 'AllowPartiallyTrustedCallersAttribute' on the assembly and call it a day. This renders it CAS/STC almost worthless, to the point Microsoft half-killed this concept in Net 4.0 and in Core it's just about gone.

[e12e]

Handling user input is tricky, and so is (de) serialization (I seem to recall most big frameworks from ruby, via php and python through Java - all doing some form of unsafe marshaling from both xml and json).

For encrypted and signed data on the client, you get to add "crypto is hard" on top.

You get things like clear signed data - that makes it easier to de-couple verifying signatures from marshaling contained data - perhaps without checking the signature...

You get encrypted data that isn't using a proper authenticated encryption construct - and again open the door for manipulated data.

Even with proper encryption, you get key revocation wrong (left out), and there's maybe no expiry on chiper texts either - so you happily accept data encrypted and signed by a compromised or expired key.

And there's key management, like in this case, re-using a key that should be sigle client/single session.

Oh,and re-play attacks due to missing serial numbers/nonce on transactions/messages...

But yeah, sure. Like another comment mentions - in theory encrypted data managed by the client is sound.. Unfortunately in practice theory isn't always right.