黑客的DropDownList值 [英] Hacking DropDownList value

问题描述

我有一个DropDownList我试图从被用作攻击媒介prevent它。我可以假设用户是无法真正改变DDL的值，并回发到服务器？此刻，我得到这个ASP.NET错误消息抛出，如果我尝试和提交后更改数据包：

I've got a DropDownList and I'm trying to prevent it from being used as an attack vector. Can I assume that the user is unable to actually change the values of the DDL and postback to the server? At the moment, I get this ASP.NET error message thrown if I try and change the packet after submission:

为了安全起见，此功能验证参数回发或回调事件，从最初呈现这些事件的服务器控件。

我是正确的思维，这是由于在ViewState散列受到损害的完整性？这可以被绕过？

Am I right in thinking that this is due to the integrity being compromised in the viewstate hash? Can this be bypassed?

感谢

推荐答案

其实你应该能够承担的下拉列表中选择尚未只要网页已更改客户端EnableEventValidation = true（此为默认值，虽然你可以为每个页面或在web.config）禁用它。如果一个新值添加到您的DropDownList客户端，除非您注册事件验证这个新的值将出现一个错误（发生回发<一个href=\"http://odeto$c$c.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx\" rel=\"nofollow\">http://odeto$c$c.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)

Actually you should be able to assume that the dropdown list options have not been changed client side as long as the page has EnableEventValidation = true (which is default although you can disable it per page or in the web.config). If a new value is added to your dropdownlist client side, and a postback occurs an error will occur unless you register this new value for event validation (http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)

这篇关于黑客的DropDownList值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！