Form Spoof/editing <option> tag values

Discussion in 'ASP .Net' started by Raterus, May 5, 2004.

  1. Raterus

    Raterus Guest

    Hi there,

    Should I be concerned with a malicious user spoofing a postback by changing the values for a control like the dropdownlist found in the rendered <option> tags. I would hope asp.net would bomb on them if the value they posted was never a listitem in the control.

    Here's another question/situation though, what if the listitems in the codebehind were just "visible=false", could a user potentially trick a dropdownbox into acting like an element has been selected, that really was never there?

    Thanks,
    --Michael
     
    Raterus, May 5, 2004
    #1
    1. Advertising

  2. "Raterus" <> wrote in message
    news:...
    >Hi there,


    >Should I be concerned with a malicious user spoofing a postback by changing
    >the values for a control like the dropdownlist found in the rendered
    ><option> tags.


    In general, yes.

    >I would hope asp.net would bomb on them if the value they
    >posted was never a listitem in the control.


    It doesn't. There are several very good potential reasons for this,
    including the little detail that the items collection might not yet be
    populated at the time that the verification would execute.

    You should add validation of your own if you want to avoid this problem.
    When doing so, you should probably also consider that the list that was
    generated for the client on initial page load is not necessarily the same
    list that is available on the server by the time the page is submitted.
    i.e.: Items could be added or removed from the source list in the time
    between the loading and submission of the page by any given client.

    >Here's another question/situation though, what if the listitems in the
    >codebehind were just "visible=false", could a user potentially trick a
    >dropdownbox into acting like an element has been selected, that really was
    >never there?


    It doesn't validate anyway, so visibility doesn't matter.

    HTH,
    Nicole
     
    Nicole Calinoiu, May 7, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dave wanta

    Re: How to Spoof Referer URL

    dave wanta, Jul 6, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,033
    Admin
    Jul 7, 2003
  2. Yevgeny Pozin
    Replies:
    8
    Views:
    435
    Yevgeny Pozin
    Nov 23, 2003
  3. shruds
    Replies:
    1
    Views:
    830
    John C. Bollinger
    Jan 27, 2006
  4. JohnW-Mpls

    Spoof URL before Bookmark save?

    JohnW-Mpls, Dec 20, 2007, in forum: HTML
    Replies:
    3
    Views:
    407
    Bone Ur
    Dec 20, 2007
  5. cr4kb0y

    dns spoof

    cr4kb0y, May 12, 2008, in forum: C Programming
    Replies:
    2
    Views:
    567
    cr4kb0y
    May 13, 2008
Loading...

Share This Page