All geek questions in one place

Can an attacker pass asp: Button with Visible = False?

Such a button is not displayed in the browser, so can any malicious user be able to trigger an action defined by an invisible button? e.g. with a JavaScript call on WebForm_DoPostBackWithOptions ? Would launch ASP.NET POST, which seems to have been launched by this button, even if it was not displayed?

+4
source share
3 answers

The short answer is yes .

It is always up to you (the developer) to ensure that you receive data received from user input (in this case, messages). Having said that the asp.net framework will do a lot of checks for you, such as "suspicious search values".

You can create a message at the endpoint of the website, even if there is no submit button on the page displayed.

Edit

This would be an example of security through obscurity and, as a rule, is not best practice. The Asp.Net submit buttons change the hidden field of the __EVENTTARGET form. Asp.net handlers will check this field when defining an event button. This value can be falsified if the attacker knew the name of the target.

Hiding / showing user interface elements is good for improving the user interface, but you should always check the user input (on the server) before performing any business actions.

+2
source

I do not believe that if this were not done, he should not accept the postback..net uses the hidden fields on the page to know what controls were on the page, and can check that during the postback, so that he knows what triggered the answer. if control was not there to begin with it, he should not accept it.

0
source

Yes, it is definitely possible. ASP.NET accepts all POST values โ€‹โ€‹for controls defined on the page, visible or not. Beware, for example, of text fields that are set to read-only. Do not use readonlyControl.Text after the message and hope that it has the same meaning as the last time you installed it.

Take a look at what is posted when you submit using ASP.NET using the Chrome Developer, Fiddler, etc. tools, and you need to know how to add your value to the โ€œinvisibleโ€ text box.

0
source

Source: https://habr.com/ru/post/1483196/

More articles:


All Articles