发表新帖
发表新帖

Can malicious users modify viewstate?

前端 未结
关注
2 1177
一生所求
一生所求 2021-01-19 14:35

If ViewStatemac is enabled in an ASP.NET application can a user modify what is in ViewState and successfully pass it back to the server?

I have an applicaiton (that

相关标签:
2条回答
  • 暖寄归人
    2021-01-19 15:24

    Yes you can modify the viewstate, and post it back, by simple copy paste the page to a local site as html, and modify it.

    How ever on post back the validation will be fail and not accepted by the asp.net if you have open the EventValidation Property - it is open by default.

    asp.net saves a hash file for every control and every event on the page on this property, and validate it on post back. If this fail, then is not continue. If you have this close then it can do what you say.

    Look this simple html form:

    <form name="input" action="someaction.asp" method="post">
    <select name="sel">
      <option value="1" >Milk</option>
      <option value="2" >Coffee</option>
      <option value="3" >Tea</option>
    </select>
<input type="submit" value="Submit">
</form>

    anyone can change the <option value="1" >Milk</option> to <option value="1 OR 1=1" >Milk</option> and post it back as it is, so you need to add a hash code before render it and post it back together with the rest, and validate that the values that is the same (return the same hash).

    Some sites, and coders select to encrypt every single value on post back, if you for example see the amazon, you notice lines like:

    <input name="offeringID.1" value="y3A0L7tSnS%2B7LBLvI....morehere" type="checkbox" id="fbt_x_check" style="display: none;" class="check" checked="checked">

    And you if you use custom html control you need to add your personal validation of the values, to avoid been modified.

    asp.net developers have decide to make a total hash values of all controls, and keep it on the EventValidation.

    So keep the EventValidation on, and the modification will fail.

    0 讨论(0)
  • 独厮守ぢ
    2021-01-19 15:27

    If ViewStateMAC is enabled the attacker would need to be able to crack the "machine key" in order to alter the ViewState, so it should be reasonably secure if this value is kept private.

    Is the value set in the code behind (e.g. ViewState["OrderBy"]) rather than via a control? If so this will not be subject to Event Validation.

    0 讨论(0)
 看不清?
提交回复
热议问题