正在一个asp:Button控件足够无形,以确保用户将无法点击它? [英] Is making an asp:Button control invisible enough to be sure users won't be able to click it?
问题描述
我做一个简单的网站,从一个特定的文件夹列表文件。如果用户拥有管理员权限,用户可以通过点击删除按钮删除文件。
I'm making a simple website that lists files from a certain folder. If the user has admin rights, the user can delete files by clicking the "Delete" button.
在我的.aspx文件,我有以下code:
In my .aspx file, I have the following code:
<asp:Button runat="server" Text="Delete" OnCommand="FileList_Delete"
CommandArgument='<%#Eval("FilePath")%>' Visible='<%CurrentUserIsAdmin()%>' />
因此,按钮将不会呈现如 CurrentUserIsAdmin()
收益假
。
按钮呈现这样的:
<input type="submit" name="ctl00$ctl00$MainContent$LocalMainContent$FileList$ctrl0$ctl17" value="Delete" />
我的问题是:我可以肯定,这种方法是针对如果用户修改网页客户端,旨在单击此按钮,看不见一个known- code攻击安全吗?还是我拿precautions在code-后面的按钮点击事件验证用户的权限?
My question is: Can I be sure that this method is safe against a known-code attack if the user modifies the webpage client-side aiming to click this invisible button? Or do I have to take precautions in the code-behind and verify the user's rights in the button-clicked event?
推荐答案
是的,一个按钮的可见
属性设置为false,就足以prevent其点击
和命令
被引发的事件,的只要你不关闭默认的WebForms安全功能
Yes, setting a button's Visible
property to false is enough to prevent its Click
and Command
events from being raised, as long as you don't turn off the default WebForms security features.
您可以轻松地通过临时增加一个总是可见的&LT测试这个C $ C>为渲染
&LT; ASP:按钮&GT;
:
You can easily test this by temporarily adding an always-visible <input>
element to your .aspx with the same name
as the rendered <asp:Button>
:
<input type="submit"
name="ctl00$ctl00$MainContent$LocalMainContent$FileList$ctrl0$ctl17"
value="Fake Delete" />
在真正的删除按钮是不可见的点击假冒的删除按钮。你应该得到一个无效的回发或回调参数。事件启用了验证......异常。
Click the fake Delete button when the real Delete button is invisible. You should get an "Invalid postback or callback argument. Event validation is enabled..." exception.
重要提示:
- 请不要在一个按钮的
可见
属性设置为false如果(!的IsPostBack)
块,因为它是可能的攻击者绕过检查。请参见这个答案了解详情。 - ASP.NET事件验证,必须启用(这是默认设置)。所以,不要加入
EnableEventValidation =FALSE
到@Page
指令或<$ C $关掉它C>&LT;页面enableEventValidation =FALSE/方式&gt; 来的Web.config - 永远不要 曾经的通过添加禁用视图状态验证
EnableViewStateMac =FALSE
到@Page
指令或&LT;页面enableViewStateMac =FALSE/&GT;
到Web.config中。 这将允许攻击者与隐藏__EVENTVALIDATION场篡改和做其他令人讨厌的事情。 - 如果您选择派生从标准Button控件自定义按钮服务器控件,请确保您添加的
[SupportsEventValidation]
属性派生类。 - 如果您选择从头开始创建自定义按钮服务器控件,请拨打<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.ui.clientscriptmanager.registerforeventvalidation.aspx\"相对=nofollow>
RegisterForEventValidation
和的ValidateEvent
在适当的位置。
- Don't set a button's
Visible
property to false within anif (!IsPostBack)
block because it's possible for an attacker to bypass that check. See this answer for more information. - ASP.NET event validation must be enabled (which it is by default). So don't turn it off by adding
EnableEventValidation="False"
to the@Page
directive or<pages enableEventValidation="false" />
to Web.config. - Never ever ever disable view state validation by adding
EnableViewStateMac="False"
to the@Page
directive or<pages enableViewStateMac="false" />
to Web.config. This would allow an attacker to tamper with the hidden __EVENTVALIDATION field and do other nasty things. - If you choose a derive a custom Button server control from the standard Button control, make sure you add the
[SupportsEventValidation]
attribute to the derived class. - If you choose to create a custom Button server control from scratch, call
RegisterForEventValidation
andValidateEvent
in the appropriate places.
这篇关于正在一个asp:Button控件足够无形,以确保用户将无法点击它?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!