黑客DropDownList值 [英] Hacking DropDownList value

问题描述

我有一个DropDownList，我试图阻止它被用作攻击向量。我可以假设用户无法将DDL和回发的值实际更改为服务器吗？目前，如果我在提交后尝试更改数据包，则会收到此ASP.NET错误消息：

I've got a DropDownList and I'm trying to prevent it from being used as an attack vector. Can I assume that the user is unable to actually change the values of the DDL and postback to the server? At the moment, I get this ASP.NET error message thrown if I try and change the packet after submission:

为了安全起见，此功能验证回发或回调事件的参数来自最初提供给他们的服务器控件。

我认为这是因为在viewstate哈希中完整性受到影响？这可以绕过吗？

Am I right in thinking that this is due to the integrity being compromised in the viewstate hash? Can this be bypassed?

谢谢

推荐答案

其实你应该只要页面具有EnableEventValidation = true（尽管您可以在每个页面或web.config中禁用它），因此可以假设下拉列表选项没有被更改为客户端。如果一个新值被添加到您的下拉列表客户端，并且发生回发，则会发生错误，除非您注册此新值进行事件验证（ http://codetocode.com/blogs/scott/archive/ 2006/03/21 / asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx ）

Actually you should be able to assume that the dropdown list options have not been changed client side as long as the page has EnableEventValidation = true (which is default although you can disable it per page or in the web.config). If a new value is added to your dropdownlist client side, and a postback occurs an error will occur unless you register this new value for event validation (http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)

这篇关于黑客DropDownList值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！