Are ASP.net EVENTTARGET and EVENTARGUMENT susceptible to SQL injection?

Question

Are ASP.net EVENTTARGET and EVENTARGUMENT susceptible to SQL injection?

A security review was conducted for one of our ASP.net applications, and SQL Injection Exposures, which are considered high-risk, were returned in the test results.

The test passed the SQL statement as the values __EVENTTARGET and __EVENTARGUMENT. I am interested, since these 2 values are ASP.net automatic generated hidden fields used for the Auto-Postback function in the structure, and contain information related to the controls that trigger the postback, is there really potential for SQL injection if you never manually calling or pulling values from these parameters in your code?

+3

security sql-injection asp.net autopostback

Schleichermann Apr 05 '10 at 19:09

source share

2 answers

You should always assume that dirty data may be submitted from your form. By allowing it to load from the postback, __EVENTARGUMENT can be modified on the client side via javascript.

, , SQL-; SQL .

http://msdn.microsoft.com/en-us/library/ms998271.aspx

+2

Glennular 05 . '10 19:20

Sripathi krishnan · Accepted Answer · 2010-04-05T19:14:07+0000

.. if you never manually call and or pull values from these parameters in your code behind ...

Assuming the above statement is true, I don’t see that these parameters are susceptible to SQL Injection. Perhaps you started an automatic scan, and this is a false signal?

Are ASP.net __EVENTTARGET and __EVENTARGUMENT susceptible to SQL injection?

More articles:

Are ASP.net EVENTTARGET and EVENTARGUMENT susceptible to SQL injection?