I’m manually testing a web application. When I read __VIEWSTATE fields they seem to be encoded in base64. I tried to decode them using http://viewstatedecoder.azurewebsites.net/
anyway this message appears
32 byte(s) left over, perhaps an HMACSHA256 signature?
Does this mean that __VIEWSTATE is just partially encrypted? How can I be sure of what part is readable?