使 asp:Button 控件不可见是否足以确保用户无法单击它? [英] Is making an asp:Button control invisible enough to be sure users won't be able to click it?

问题描述

我正在制作一个简单的网站，列出某个文件夹中的文件.如果用户有管理员权限，用户可以通过点击删除"按钮删除文件.

I'm making a simple website that lists files from a certain folder. If the user has admin rights, the user can delete files by clicking the "Delete" button.

在我的 .aspx 文件中，我有以下代码:

In my .aspx file, I have the following code:

<asp:Button runat="server" Text="Delete" OnCommand="FileList_Delete"
            CommandArgument='<%#Eval("FilePath")%>' Visible='<%CurrentUserIsAdmin()%>' />

所以如果 CurrentUserIsAdmin() 返回 false，按钮将不会被渲染.

So the button will not be rendered if CurrentUserIsAdmin() returns false.

按钮呈现如下:

<input type="submit" name="ctl00$ctl00$MainContent$LocalMainContent$FileList$ctrl0$ctl17" value="Delete" />

我的问题是:如果用户修改网页客户端以点击这个不可见的按钮，我能确定这种方法可以安全地抵御已知代码攻击吗?或者我必须在代码隐藏中采取预防措施并在按钮点击事件中验证用户的权限?

My question is: Can I be sure that this method is safe against a known-code attack if the user modifies the webpage client-side aiming to click this invisible button? Or do I have to take precautions in the code-behind and verify the user's rights in the button-clicked event?

推荐答案

是的，将按钮的 Visible 属性设置为 false 就足以阻止它的 Click 和 命令 事件不会被引发，只要您不关闭默认的 WebForms 安全功能.

Yes, setting a button's Visible property to false is enough to prevent its Click and Command events from being raised, as long as you don't turn off the default WebForms security features.

您可以通过将始终可见的 <input> 元素临时添加到您的 .aspx 并与呈现的 具有相同的 name 来轻松测试这一点.asp:Button>:

You can easily test this by temporarily adding an always-visible <input> element to your .aspx with the same name as the rendered <asp:Button>:

<input type="submit"
       name="ctl00$ctl00$MainContent$LocalMainContent$FileList$ctrl0$ctl17"
       value="Fake Delete" />

当真正的删除按钮不可见时，点击虚假的删除按钮.您应该收到无效的回发或回调参数.事件验证已启用..."异常.

Click the fake Delete button when the real Delete button is invisible. You should get an "Invalid postback or callback argument. Event validation is enabled..." exception.

重要说明:

• 不要在 if (!IsPostBack) 块中将按钮的 Visible 属性设置为 false，因为攻击者有可能绕过该检查.有关详细信息，请参阅此答案.
• 必须启用 ASP.NET 事件验证(默认情况下).所以不要通过将 EnableEventValidation="False" 添加到 @Page 指令或 来关闭它代码> 到 Web.config.
• 永远永远通过将 EnableViewStateMac="False" 添加到 @Page 指令来禁用视图状态验证或 到 Web.config.这将允许攻击者篡改隐藏的 __EVENTVALIDATION 字段并做其他讨厌的事情.
• 如果您选择从标准 Button 控件派生自定义 Button 服务器控件，请确保添加 [SupportsEventValidation] 派生类的属性.
• 如果您选择从头开始创建自定义 Button 服务器控件，请调用 RegisterForEventValidation 和 ValidateEvent 在适当的位置.

• Don't set a button's Visible property to false within an if (!IsPostBack) block because it's possible for an attacker to bypass that check. See this answer for more information.
• ASP.NET event validation must be enabled (which it is by default). So don't turn it off by adding EnableEventValidation="False" to the @Page directive or <pages enableEventValidation="false" /> to Web.config.
• Never ever ever disable view state validation by adding EnableViewStateMac="False" to the @Page directive or <pages enableViewStateMac="false" /> to Web.config. This would allow an attacker to tamper with the hidden __EVENTVALIDATION field and do other nasty things.
• If you choose a derive a custom Button server control from the standard Button control, make sure you add the [SupportsEventValidation] attribute to the derived class.
• If you choose to create a custom Button server control from scratch, call RegisterForEventValidation and ValidateEvent in the appropriate places.

这篇关于使 asp:Button 控件不可见是否足以确保用户无法单击它?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！