Form Spoof/editing <option> tag values

[Raterus]

Hi there,

Should I be concerned with a malicious user spoofing a postback by changing the values for a control like the dropdownlist found in the rendered <option> tags. I would hope asp.net would bomb on them if the value they posted was never a listitem in the control.

Here's another question/situation though, what if the listitems in the codebehind were just "visible=false", could a user potentially trick a dropdownbox into acting like an element has been selected, that really was never there?

Thanks,
--Michael

 

[Nicole Calinoiu]

Hi there,

Should I be concerned with a malicious user spoofing a postback by changing
the values for a control like the dropdownlist found in the rendered
<option> tags.

In general, yes.

I would hope asp.net would bomb on them if the value they
posted was never a listitem in the control.

It doesn't. There are several very good potential reasons for this,
including the little detail that the items collection might not yet be
populated at the time that the verification would execute.

You should add validation of your own if you want to avoid this problem.
When doing so, you should probably also consider that the list that was
generated for the client on initial page load is not necessarily the same
list that is available on the server by the time the page is submitted.
i.e.: Items could be added or removed from the source list in the time
between the loading and submission of the page by any given client.

Here's another question/situation though, what if the listitems in the
codebehind were just "visible=false", could a user potentially trick a
dropdownbox into acting like an element has been selected, that really was
never there?

It doesn't validate anyway, so visibility doesn't matter.

HTH,
Nicole