黑客 DropDownList 值
我有一个 DropDownList,我试图防止它被用作攻击媒介。我是否可以假设用户无法实际更改 DDL 的值并回发到服务器?目前,如果我尝试在提交后更改数据包,则会抛出此 ASP.NET 错误消息:
出于安全目的,此功能验证回发或回调事件的参数是否源自最初呈现它们的服务器控件。
我是否正确地认为这是由于视图状态哈希的完整性受到损害?这个可以绕过吗?
谢谢
I've got a DropDownList and I'm trying to prevent it from being used as an attack vector. Can I assume that the user is unable to actually change the values of the DDL and postback to the server? At the moment, I get this ASP.NET error message thrown if I try and change the packet after submission:
For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them.
Am I right in thinking that this is due to the integrity being compromised in the viewstate hash? Can this be bypassed?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
实际上,您应该能够假设只要页面具有 EnableEventValidation = true(这是默认值,但您可以在每个页面或 web.config 中禁用它),客户端的下拉列表选项就没有更改。如果将新值添加到下拉列表客户端,并且发生回发,则会发生错误,除非您注册此新值以进行事件验证 (http://odetocode.com/blogs/scott/archive/ 2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)
Actually you should be able to assume that the dropdown list options have not been changed client side as long as the page has EnableEventValidation = true (which is default although you can disable it per page or in the web.config). If a new value is added to your dropdownlist client side, and a postback occurs an error will occur unless you register this new value for event validation (http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)
不,你不能这样假设。
您应该始终认为所有输入都是不可信的,并适当地对待它(确保它应该是什么,并且它是正确的类型,并且当前用户(或其他)可以访问它,等等)。
No, you can't assume that.
You should always consider that all input is untrusted, and treat it appropriately (make sure it is what it should be, and that it is of the right type, and that the current user (or whatever) has access to it, and so on).