Thanks John,
By the way, what is your region ?
Yes, I have done a little with ASP.NET 2.0 Personalisation and
Membership, so I am aware of some of the basics, however, I think that
one has to assume there is a loopholes and try ones best to find them
before someone finds them for you.
Thanks for your replies; it all goes into my internal cookbook for
future reference. As I said in another reply in the same thread, its
just a pity that mankind has to expend so much energy to ensure the
defeat of our shortcomings (Criminal Elements).
I often muse over what the outcome would be or not if we were to
co-ordinate world efforts using the total sum of mental end physical
energy expended on stopping people behaving in a manner other than in
alignment of the common good.
I know that's a bit philosophical for this newsgroup, but what the hey !
--
Best Regards
The Inimitable Mr Newbie º¿º
----------------------------------------------------
its worth reading up on the net2 membership and login controls to
undertand where you can better apply security.
http://beta.asp.net/QUICKSTART/aspnet/doc/security/default.aspx
The problem wth just hiding controls is that their server events may
still be accessible as you have found. You need to ensure that
fucntionality is not avaialbale regardless of the interface requesting
the methods - technically you need to render the methods inaccessible
based on a users authorised role in your application.
--
Regards
John Timney
ASP.NET MVP
Microsoft Regional Director
Actually I just tested it. You CAN make the server invoke a button
which was made visible=false. I just used the method you prescribed
and it does work 'Unfortunately'.
OK, well thats one method I definately will avoid. And I will have to
be more vigilant in my methods of ensuring security is maintained.
Thanks.
--
Best Regards
The Inimitable Mr Newbie º¿º
Thanks for the input Bruce,
I get paranoid about security when designing anything for a client
because if you get it wrong as a freelance/contractor, you really
don't want to be on the receiving end of any law suit, professional
indemnity or not, its not a good position to be in.
I am going to try this out in the next couple of days when I get a
minute as I thinks it's worth some further investigation and report
my findings back to the group/thread.
--
Best Regards
The Inimitable Mr Newbie º¿º
-------------------------------------------------------------
you are correct to be worried about this. asp.net has added more
security checking for these cases, but you never have enough.
hacking asp.net pages is very easy, as the html protocol is well
known. to hack
all you need is notepad and a browser. using firefox or an IE addin
really helps. you hackers hiots the site and get a list of postback
field values by viewing source, info on firefox will list forms and
their fields, IE addins do the same.
once you have the field you make an html file:
<form method=post action="url of site to attack" >
used by auto postback - fill in control name to fake control post
<input type=hidden name="__EVENTTARGET" value="">
<input type=hidden name="__EVENTARGUMENT" value="">
magical viewstate - copy value from view source of actual browse
<input type=hidden name="__VIEWSTATE" value="">
add any field values to post back setting name to the control
name, value = to value to post back
<input type=hidden name="field1name" value="my value">
to postback a button, say your delete
<input type=hidden name="deletebuttonname" value="submit">
</form>
<script>document.forms[0].submit();</script>
just load the html in the browser, and it will do the atack. you
should try this on your site, should be easy.
you should have all BI logic re-verify the permissions. i use stored
procs, and have the procs recheck also.
-- bruce (sqlwork.com)
I was thinking about developing a workflow application yesterday and
was musing over the different approaches than one could take in
restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action
buttons appearing. For example, if one did not have the Role of
Administrator, one would be prevented from deleting a ticket not
created by oneself.
However, it did occur to me that there was a possibility of
manually constructing the button code in the page which has been
rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ),
then would it be possible to invoke the backend function by
manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant
answer available ?
