如何修改在ASP.net标签的视图状态 [英] How to modify viewstate of a label in ASP.net
问题描述
我读的地方,它可以修改视图状态,但我没有找到的步骤去实现它。
例如:我要修改标签的视图状态,初步拉布勒文字是你好。我想你好通过修改其在回发视图状态来改变它
任何建议将AP preciated。
我猜你在谈论恶意修改__VIEWSTATE隐藏字段作为最终用户,而不是从code范围内修改的ViewState。这可能是也可能不是可行(希望不),这取决于一些应用程序的设置。该两块要使它pretty是硬的 EnableViewStateMac 和 ViewStateEncryptionMode 。这些通常设置在 <&页面GT; 在Web.config中元素。
ViewStateEncryptionMode 是不是真的设计为prevent ViewState的篡改;它的意思来掩盖你已经嵌入在ViewState中的任何内容。例如,如果你决定添加关于自己的ViewState(例如, ViewState的一些秘密信息[secretinfo] =我的社会安全号码是XXX-XX-XXXX。),即出现了,任何用户加载页面可以把你的__VIEWSTATE领域,并通过一个base64德codeR运行它找到自己的社会安全号码,除非,当然,你的ViewState加密
作为一个例子,一个.aspx页面中,我发现通过一个简单的谷歌搜索。查看源代码,抢ViewState中,并将其粘贴到这个的base64德codeR 。在一些丑陋的人物,你会发现一堆纯文本。这ViewState中显然没有被加密(这可能不是一件坏事)。
现在,如果你是一个奇怪的或可能恶意的人,你可能会尝试修改一些你在ViewState中发现的文字,重新连接code将其为base64,和放下它放回__VIEWSTATE领域。 (在许多浏览器,只需打开JS控制台,然后输入 document.querySelector([名称= __ VIEWSTATE])值=无论你的base64文本是; )现在,当您提交表单,页面会回来后用修改后的ViewState。
这是其中 EnableViewStateMac 的用武之地。正如MSDN指出,此设置应始终在生产现场启用,因为这是一个的意思prevent恶意乡亲从与__VIEWSTATE场篡改的设置。为了简单化,它基本上计算哈希值(实际上是一个消息验证code )的__VIEWSTATE值,然后把该旁边的__VIEWSTATE。如果修改了__VIEWSTATE内的一些文本,该消息将不再匹配的MAC和.NET(它嵌入在字符串的结尾,并没有去code回一个漂亮的纯文本字符串。)将赶上这并抛出一个异常之前,你甚至有机会来处理请求。
TL; DR 结果
只要你有EnableViewStateMac上(你应该),你真的不能修改__VIEWSTATE字段。
I read somewhere that its possible to modify viewstate but I didn't find the steps to achieve it.
For example: I want to modify the viewstate of label, initially lable text is "Hi.." and I want to change it to "Hello" by modifying its viewstate on postback.
Any suggestion will be appreciated.
I'm guessing you're talking about maliciously modifying the __VIEWSTATE hidden field as an end user, not modifying the ViewState from within code. This may or may not be feasible (hopefully not), depending on some of your application's settings. The two that are going to make it pretty hard are EnableViewStateMac and ViewStateEncryptionMode. These are often set on the <pages> element in Web.config.
ViewStateEncryptionMode is not really designed to prevent ViewState tampering; it's meant to obscure whatever content you have embedded in ViewState. For example, if you decided to add some secret information about yourself to ViewState (e.g., ViewState["secretinfo"] = "My social security number is xxx-xx-xxxx.";), any user that comes along and loads your page can take your __VIEWSTATE field and run it through a base64 decoder to find your social security number—unless, of course, you're encrypting ViewState.
As an example, here's a .aspx page I found through a simple Google search. View source, grab the ViewState, and paste it into this base64 decoder. Among a few ugly characters, you'll find a bunch of plain text. This ViewState has obviously not been encrypted (which is probably not a bad thing).
Now, if you were a curious or possibly malicious person, you might try to modify some of the text you found in the ViewState, re-encode it as base64, and plop it back into the __VIEWSTATE field. (In many browsers, just open the JS console and type document.querySelector("[name=__VIEWSTATE]").value = "whatever your base64 text is";.) Now when you submit the form, the page will post back with the modified ViewState.
This is where EnableViewStateMac comes into play. As MSDN notes, this setting should always be enabled on a production site, as this is the setting that's meant to prevent malicious folks from tampering with the __VIEWSTATE field. To oversimplify, it basically calculates a hash (actually a message authentication code) of the __VIEWSTATE value and sends this alongside the __VIEWSTATE. (It's embedded at the end of the string and doesn't decode back to a nice plain-text string.) If you modify some text within the __VIEWSTATE, the message will no longer match the MAC, and .NET will catch this and throw an exception before you even have a chance to process the request.
TL;DR
As long as you have EnableViewStateMac on (which you should), you can't really modify the __VIEWSTATE field.
这篇关于如何修改在ASP.net标签的视图状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
