The document summarizes a presentation about discovering a design issue in .NET's handling of view state fields without integrity protection. During a web application assessment in 2012, the presenter found that custom serialization of view state into an unprotected field could allow tampering by modifying the serialized object graph. This led to the realization that known .NET deserialization behaviors could be triggered remotely by manipulating the view state. A proof-of-concept exploited this by generating view state containing a FileInfo object that deleted a file on the server when deserialized. This uncovered a remote code execution vulnerability in some ASP.NET applications.