破解 DropDownList 值 [英] Hacking DropDownList value

问题描述

我有一个 DropDownList，我正在努力防止它被用作攻击媒介.我可以假设用户无法实际更改 DDL 的值并回发到服务器吗?目前，如果我在提交后尝试更改数据包，则会抛出此 ASP.NET 错误消息:

I've got a DropDownList and I'm trying to prevent it from being used as an attack vector. Can I assume that the user is unable to actually change the values of the DDL and postback to the server? At the moment, I get this ASP.NET error message thrown if I try and change the packet after submission:

出于安全目的，此功能验证回发或回调事件的参数是否源自最初呈现它们的服务器控件.

我是否正确地认为这是由于视图状态哈希中的完整性受到损害?这可以绕过吗?

Am I right in thinking that this is due to the integrity being compromised in the viewstate hash? Can this be bypassed?

谢谢

推荐答案

实际上，只要页面具有 EnableEventValidation = true(这是默认设置，尽管您可以在每页或在 web.config 中禁用它).如果将新值添加到您的下拉列表客户端，并且发生回发，则会发生错误，除非您注册此新值以进行事件验证 (http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)

Actually you should be able to assume that the dropdown list options have not been changed client side as long as the page has EnableEventValidation = true (which is default although you can disable it per page or in the web.config). If a new value is added to your dropdownlist client side, and a postback occurs an error will occur unless you register this new value for event validation (http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)

这篇关于破解 DropDownList 值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！