Can I find out if the postback came from the same server?

A

Alan Silver

Hello,

Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.

For example, if you could have (pseudocode)...

void Page_Load(object o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}

Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.

Any comments?
 
A

Alan Silver

Read this article, it will go a long way towards helping you understand some
of the pitfalls and workarounds.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/
html/securitybarriers.asp
Click to expand...

Thanks for the link. The article was useful, but still didn't address
the point I raised. If you had some way of checking that the postback
had come from the same server, you would avoid quite a number of the
attacks in the first place. Several of the ones mentioned involved
posting from another server. If you simply disallowed these, you would
cut out a number of possible attacks without any further work. Obviously
you would still have plenty to do protecting yourself from other kinds
of attack.

Which brings me back to my original question, is there a reliable way of
checking if the postback came from the same server?
Best Regards

The Inimitable Mr Newbie º¿º
Click to expand...
 
P

PL

Which brings me back to my original question, is there a reliable way of checking if the postback came from the same server?

I assume you are aware of the eventvalidation feature of ASP.NET 2.0 ?

Event validation ensures the postback comes from the control that orginally
rendered it, meaning for example that if you have a datagrid with edit buttons
and those buttons are wired into calling "ItemEdit" it will validate the events
to make sure it came from the control that orginally rendered it.

This is not really 100% but it goes a long way to protect against the type
of attacks you are talking about.

PL.
 
A

Alan Silver

Which brings me back to my original question, is there a reliable way
I assume you are aware of the eventvalidation feature of ASP.NET 2.0 ?
Click to expand...

You assume incorrectly!! I am ignorant ;-)
Event validation ensures the postback comes from the control that orginally
rendered it, meaning for example that if you have a datagrid with edit buttons
and those buttons are wired into calling "ItemEdit" it will validate the events
to make sure it came from the control that orginally rendered it.
Click to expand...

If so, how do the attacks that rely on saving a page, modifying it and
posting back from another server work? Surely the eventvalidation would
catch this?

Or did I miss the point?

Actually, re-reading your words, it looks like the check is to ensure
that the event is called from the control that is supposed to call it.
If so, then it could easily be from another server, as long as the name
of the control in the saved page wasn't changed.

Or did I still miss the point?
This is not really 100% but it goes a long way to protect against the type
of attacks you are talking about.
Click to expand...

I would be grateful if you could explain it a little more, as I'm not
very clear so far<g>

Also, is this something built in to ASP.NET, or do you have to do
something to enable it?

Thanks for the reply
 
P

PL

If so, how do the attacks that rely on saving a page, modifying it and posting back from another server work? Surely the
eventvalidation would catch this?
Click to expand...

If it's modified I think it will.
Actually, re-reading your words, it looks like the check is to ensure that the event is called from the control that is supposed
to call it. If so, then it could easily be from another server, as long as the name of the control in the saved page wasn't
changed.
Click to expand...

I'm not 100% sure how it works but it puts a hidden field named
__EVENTVALIDATION in the form with a hash of the unique id's
from the controls rendered on the page.

This value is verified at postback, not sure what would happen if you save
the complete page and put it up on a separate server.
Also, is this something built in to ASP.NET, or do you have to do something to enable it?
Click to expand...

It's new in ASP.NET 2.0 and turned on by default, to turn it off you use
<page enableEventValidation="False"> in the web.config or put
enableEventValidation="False" in the @Page tag for an individual page.

I'm having a hard time finding any good articles about this subject but
ASP.NET 2.0 is still just a few weeks old (RTM version).

PL.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Is it possible to program a peer-to-peer network where you can customize your own client and server IP addresses? like radios on the same Hz 1
How can I tell the page I came from? 7
can I figure out if web page came from sercah engine 1
Can I detect if there is more than one browser using the same session? 1
Can I prevent the user from exiting a page? 2
Postback question 2
Symbolic expressions (or: partials and closures from the inside out) 0
session variables - how to handle parallel access by the same user tothe same page 1

Members online

Total: 43 (members: 3, guests: 40)
Robots: 451

Forum statistics

Threads
473,768
Messages
2,569,575
Members
45,053
Latest member
billing-software

Latest Threads

Top