All geek questions in one place

Hacking DropDownList

I have a DropDownList and am trying to prevent its use as an attack vector. Can I assume that the user cannot actually change the DDL and postback values ​​to the server? At the moment, I am getting this ASP.NET error message if I try to change the package after sending:

For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them.

Do I understand correctly that this is due to the fact that integrity is compromised in the viewstate hash? Is there any way around this?

thanks

+4
source share
2 answers

In fact, you should be able to assume that the options for the drop-down list have not been changed on the client side until the page has EnableEventValidation = true (which is the default, although you can disable it on the page or in web.config). If a new value is added to your client side with a drop-down list and a postback occurs, an error will occur if you do not register this new value for checking events ( http://odetocode.com/blogs/scott/archive/2006/03/21 /asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx )

+3
source

No, you cannot allow this.

You should always consider that all input data is unreliable, and treat them accordingly (make sure that this is what it should be, and that it has the correct type and that the current user (or any other) has access to it, and so on. .d.).

+3
source

Source: https://habr.com/ru/post/1302638/

More articles:


All Articles