I read somewhere that its possible to modify viewstate but I didn't find the steps to achieve it.
For example: I want to modify the viewstate of label, initially lable text is "Hi.." and I want to change it to "Hello" by modifying its viewstate on postback.
Any suggestion will be appreciated.
I'm guessing you're talking about maliciously modifying the __VIEWSTATE hidden field as an end user, not modifying the ViewState from within code. This may or may not be feasible (hopefully not), depending on some of your application's settings. The two that are going to make it pretty hard are EnableViewStateMac and ViewStateEncryptionMode. These are often set on the <pages> element in Web.config.
ViewStateEncryptionMode is not really designed to prevent ViewState tampering; it's meant to obscure whatever content you have embedded in ViewState. For example, if you decided to add some secret information about yourself to ViewState (e.g., ViewState["secretinfo"] = "My social security number is xxx-xx-xxxx.";), any user that comes along and loads your page can take your __VIEWSTATE field and run it through a base64 decoder to find your social security number—unless, of course, you're encrypting ViewState.
As an example, here's a .aspx page I found through a simple Google search. View source, grab the ViewState, and paste it into this base64 decoder. Among a few ugly characters, you'll find a bunch of plain text. This ViewState has obviously not been encrypted (which is probably not a bad thing).
Now, if you were a curious or possibly malicious person, you might try to modify some of the text you found in the ViewState, re-encode it as base64, and plop it back into the __VIEWSTATE field. (In many browsers, just open the JS console and type document.querySelector("[name=__VIEWSTATE]").value = "whatever your base64 text is";.) Now when you submit the form, the page will post back with the modified ViewState.
This is where EnableViewStateMac comes into play. As MSDN notes, this setting should always be enabled on a production site, as this is the setting that's meant to prevent malicious folks from tampering with the __VIEWSTATE field. To oversimplify, it basically calculates a hash (actually a message authentication code) of the __VIEWSTATE value and sends this alongside the __VIEWSTATE. (It's embedded at the end of the string and doesn't decode back to a nice plain-text string.) If you modify some text within the __VIEWSTATE, the message will no longer match the MAC, and .NET will catch this and throw an exception before you even have a chance to process the request.
TL;DR
As long as you have EnableViewStateMac on (which you should), you can't really modify the __VIEWSTATE field.
You can change the viewstate of the label by just setting the Text property on the label object in the code-behind. Most properties of the built-in ASP.NET controls are backed by viewstate so setting the property will indirectly change the viewstate for that control.
In your .aspx:
<asp:Label id="myLabel" Text="Hi.." />
In your .aspx.cs:
myLabel.Text = "Hello";
Couldn't you reset the value on PostBack event? such like:
mylabel.Text = "Hello";
The view state is stored in a hidden field on the page. Although view state stores data in a hashed format [encoded format], so it will be not easy to modify with correct values and it will lead tempering in viewstate.
You need to modify Viewstate, you need to know proper encoding and decoding algo.
So don't try to modify the view state.
The short answer is that you can.
To modify the View State, you would essentially have to:
This article gives a more in-depth look into parsing the View State. It also includes references to tools which may be used for parsing/decoding View State: Understanding ASP.NET View State.
