Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Form Spoof/editing <option> tag values

Reply
Thread Tools

Form Spoof/editing <option> tag values

 
 
Raterus
Guest
Posts: n/a
 
      05-05-2004
Hi there,

Should I be concerned with a malicious user spoofing a postback by changing the values for a control like the dropdownlist found in the rendered <option> tags. I would hope asp.net would bomb on them if the value they posted was never a listitem in the control.

Here's another question/situation though, what if the listitems in the codebehind were just "visible=false", could a user potentially trick a dropdownbox into acting like an element has been selected, that really was never there?

Thanks,
--Michael
 
Reply With Quote
 
 
 
 
Nicole Calinoiu
Guest
Posts: n/a
 
      05-07-2004
"Raterus" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>Hi there,


>Should I be concerned with a malicious user spoofing a postback by changing
>the values for a control like the dropdownlist found in the rendered
><option> tags.


In general, yes.

>I would hope asp.net would bomb on them if the value they
>posted was never a listitem in the control.


It doesn't. There are several very good potential reasons for this,
including the little detail that the items collection might not yet be
populated at the time that the verification would execute.

You should add validation of your own if you want to avoid this problem.
When doing so, you should probably also consider that the list that was
generated for the client on initial page load is not necessarily the same
list that is available on the server by the time the page is submitted.
i.e.: Items could be added or removed from the source list in the time
between the loading and submission of the page by any given client.

>Here's another question/situation though, what if the listitems in the
>codebehind were just "visible=false", could a user potentially trick a
>dropdownbox into acting like an element has been selected, that really was
>never there?


It doesn't validate anyway, so visibility doesn't matter.

HTH,
Nicole


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
error "A form tag with runat=server must exist" but there is a form tag!! André ASP .Net 2 06-23-2008 07:49 AM
Extra space between form tag and table tag when screen resolution is 1280 x 1024 nikkilou@nycap.rr.com HTML 2 07-24-2007 11:29 PM
how do u invoke Tag b's Tag Handler from within Tag a's tag Handler? shruds Java 1 01-27-2006 03:00 AM
How Can I put XSL tag inside HTML form tag? RC Java 2 05-10-2005 06:26 PM
How Can I put XSL tag inside HTML form tag? RC XML 2 05-10-2005 05:55 PM



Advertisments