ASP.Net 1.1视图状态安全 [英] ASP.Net 1.1 Viewstate Security

问题描述

在ASP.Net 1.1是否有可能为最终用户更改可视数据之前，它发送回服务器，例如使它看起来像一个项目中不存在下拉选择？我试着使用Firebug在下拉操纵值，但服务器似乎忽略了，我是presuming因为ViewState中说，项目不存在，但是如果它能够改变可视数据来实现这一那么可能是更大的问题。

我这么问是因为我一直在问看在我们的应用的安全性，如果上面可能有可能是一个很大的安全漏洞。

只是为了澄清，我不是问怎么了，我不想打破别人的软件，我只需要知道它是一件值得关注的。

希望这是有道理的。

感谢

解决方案

是的，视图状态可以被黑客攻破。在ASP.NET 2.0中的功能是引入了允许一个加密视图状态因此prevent这些类型的攻击。<​​/ p>

黑客视图状态乐趣与放大器;利润详细介绍了如何破解应用程序的视图状态。

In ASP.Net 1.1 is it possible for the end user to change the viewdata before it's sent back to the server to for instance make it look like an item is selected in a dropdown that does not exist? I've tried manipulating the values in the dropdown using firebug but the server seems to ignore that, I'm presuming because the viewstate says that item does not exist, if however its possible to change the viewdata to achieve this then that could be more of a problem.

I'm asking because I've been asked to look over the security of one of our applications and if the above is possible there could be a big security gap.

Just to clarify I'm not asking how, I do not want to break someone elses software I just need to know if its something to be concerned about.

Hopefully this makes sense.

Thanks

解决方案

Yes, View State can be hacked. In ASP.NET 2.0 a feature was introduced which allowed one to Encrypt the View State and thus prevent these types of attacks.

Hacking View State for Fun & Profit details how to hack the view state of an application.

这篇关于ASP.Net 1.1视图状态安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！