I was thinking about developing a workflow application yesterday and was
musing over the different approaches than one could take in restricting
specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons
appearing. For example, if one did not have the Role of Administrator, one
would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually
constructing the button code in the page which has been rendered to the
client.
If you have a button which was visible=false ( Not HTML hidden ), then would
it be possible to invoke the backend function by manually adding the tag/id
etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer
available ?
--
Best Regards
The Inimitable Mr Newbie º¿º 22 2189
no - hiding is not enough,as someone could simply reconstruct your hidden
elemtns.
At the least you need to use some form of access control, to verify who the
logged in user user is and then display the controls or not based on that
role.
--
Regards
John Timney
ASP.NET MVP
Microsoft Regional Director
"Mr Newbie" <he**@now.com > wrote in message
news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of Administrator, one would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually constructing the button code in the page which has been rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ), then would it be possible to invoke the backend function by manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer available ? -- Best Regards
The Inimitable Mr Newbie º¿º
OK, thanks for the reply. I do intend to use access control but I think
perhaps I didnt make myself clear enough.
Lets say that we have two users 'Jon' and 'Sarah'. John may delete anything
but 'Sarah' may only delete her own work.
Before the form is rendered, the control logic determines that this document
belongs to 'Jon' but that it is 'Sarah' who has opened it. Therfore the
logic sets the Visible property of the 'Delete' button to False so it is
not rendered to the client.
However, 'Sarah' is feeling evil today and decides to enter the tags she's
seen before on her own documents and loads the page, or at least somehow
manages to add this object into the document displayed and invoke its click
event
Will this activate the Server side click event for this button regardless of
if it has been displayed or not ?
Regards Mr Newbie . . .
"John Timney ( MVP )" <ti*****@despam med.com> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. no - hiding is not enough,as someone could simply reconstruct your hidden elemtns.
At the least you need to use some form of access control, to verify who the logged in user user is and then display the controls or not based on that role.
-- Regards
John Timney ASP.NET MVP Microsoft Regional Director
"Mr Newbie" <he**@now.com > wrote in message news:%2******** ********@TK2MSF TNGP09.phx.gbl. ..I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of Administrator, one would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually constructing the button code in the page which has been rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ), then would it be possible to invoke the backend function by manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer available ? -- Best Regards
The Inimitable Mr Newbie º¿º
Yo Mr. Newbie, Will this activate the Server side click event for this button regardless of if it has been displayed or not ?
No it will not. It would require a great deal of skill to accomplish
something like this, if you do it correctly. That is, use an HtmlInputButton
Control or a Button WebControl (used as a Command Button would be best, as
this does not create a Submit button, and makes the job more difficult for
the would-be hacker). These controls use JavaScript to send information
about themselves in hidden form fields back to the server. So, the first
obstacle for Sarah would be not only to add a Delete button the the HTML,
but also to add the appropriate information into the hidden form fields. She
would also have to enter the correct information into the hidden ViewState
form field, in order to trick the server into reproducing the Page class and
Controls as if its previous state had included the button. This is because
HTTP is stateless. The server relies on the Request coming from the client
to reproduce its State if the Page is posted back. It has to build the Page
from scratch with each Request.
Sarah's only resort would be to get on to the computer right after John has
loaded the page in the state she wants, and to copy the HTML to another file
she could hide somewhere. Then, when John is gone, she could pull up the
page with John's information in it, and merge the HTML to create the state
she needs. Of course, this could be accounted for by a clever developer as
well.
In short, using Server Controls would indeed be your best bet.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message
news:O6******** ******@tk2msftn gp13.phx.gbl... OK, thanks for the reply. I do intend to use access control but I think perhaps I didnt make myself clear enough.
Lets say that we have two users 'Jon' and 'Sarah'. John may delete anything but 'Sarah' may only delete her own work.
Before the form is rendered, the control logic determines that this document belongs to 'Jon' but that it is 'Sarah' who has opened it. Therfore the logic sets the Visible property of the 'Delete' button to False so it is not rendered to the client.
However, 'Sarah' is feeling evil today and decides to enter the tags she's seen before on her own documents and loads the page, or at least somehow manages to add this object into the document displayed and invoke its click event
Will this activate the Server side click event for this button regardless of if it has been displayed or not ?
Regards Mr Newbie . . .
"John Timney ( MVP )" <ti*****@despam med.com> wrote in message news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. no - hiding is not enough,as someone could simply reconstruct your hidden elemtns.
At the least you need to use some form of access control, to verify who the logged in user user is and then display the controls or not based on that role.
-- Regards
John Timney ASP.NET MVP Microsoft Regional Director
"Mr Newbie" <he**@now.com > wrote in message news:%2******** ********@TK2MSF TNGP09.phx.gbl. ..I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of Administrator, one would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually constructing the button code in the page which has been rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ), then would it be possible to invoke the backend function by manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer available ? -- Best Regards
The Inimitable Mr Newbie º¿º
Thanks for that reply.
In essence, we are saying that it is technically possible, but highly
unlikely that a hacker would go to these lengths. At least not unless the
information contained was so inviting as to entice the would-be hacker to
have ago. the would-be hacker). These controls use JavaScript to send information about themselves in hidden form fields back to the server. So, the first
What information would it be ?, I guess its some sort of context mapping
which tells the server which server control is being mapped to which client
side field etc ???
Thanks again for taking the time to reply. I guess when I'm designing
systems I like to think from the hackers point of view as much as possible.
I suppose that says something about my mind set, but I would like to think
its from a defensive and positive point of view rather than from a
criminality angle!
Cheers - Mr Newbie . . .
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. Yo Mr. Newbie,
Will this activate the Server side click event for this button regardless of if it has been displayed or not ?
No it will not. It would require a great deal of skill to accomplish something like this, if you do it correctly. That is, use an HtmlInputButton Control or a Button WebControl (used as a Command Button would be best, as this does not create a Submit button, and makes the job more difficult for the would-be hacker). These controls use JavaScript to send information about themselves in hidden form fields back to the server. So, the first obstacle for Sarah would be not only to add a Delete button the the HTML, but also to add the appropriate information into the hidden form fields. She would also have to enter the correct information into the hidden ViewState form field, in order to trick the server into reproducing the Page class and Controls as if its previous state had included the button. This is because HTTP is stateless. The server relies on the Request coming from the client to reproduce its State if the Page is posted back. It has to build the Page from scratch with each Request.
Sarah's only resort would be to get on to the computer right after John has loaded the page in the state she wants, and to copy the HTML to another file she could hide somewhere. Then, when John is gone, she could pull up the page with John's information in it, and merge the HTML to create the state she needs. Of course, this could be accounted for by a clever developer as well.
In short, using Server Controls would indeed be your best bet.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message news:O6******** ******@tk2msftn gp13.phx.gbl... OK, thanks for the reply. I do intend to use access control but I think perhaps I didnt make myself clear enough.
Lets say that we have two users 'Jon' and 'Sarah'. John may delete anything but 'Sarah' may only delete her own work.
Before the form is rendered, the control logic determines that this document belongs to 'Jon' but that it is 'Sarah' who has opened it. Therfore the logic sets the Visible property of the 'Delete' button to False so it is not rendered to the client.
However, 'Sarah' is feeling evil today and decides to enter the tags she's seen before on her own documents and loads the page, or at least somehow manages to add this object into the document displayed and invoke its click event
Will this activate the Server side click event for this button regardless of if it has been displayed or not ?
Regards Mr Newbie . . .
"John Timney ( MVP )" <ti*****@despam med.com> wrote in message news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. no - hiding is not enough,as someone could simply reconstruct your hidden elemtns.
At the least you need to use some form of access control, to verify who the logged in user user is and then display the controls or not based on that role.
-- Regards
John Timney ASP.NET MVP Microsoft Regional Director
"Mr Newbie" <he**@now.com > wrote in message news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of Administrator, one would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually constructing the button code in the page which has been rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ), then would it be possible to invoke the backend function by manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer available ? -- Best Regards
The Inimitable Mr Newbie º¿º
Hi Inimitable,
I like the way you like to think when designing!
In answer to your question, and in anticipation of similar follow-up
questions:
Basically, ASP.Net creates 2 hidden HTML form fields for server-side event
handling:
<input type="hidden" name="__EVENTTA RGET" value="" />
<input type="hidden" name="__EVENTAR GUMENT" value="" />
The "__EVENTTAR GET" field is populated with the client ID of the Control
that causes the event, via a JavaScript client-side event handler inserted
into the HTML form tag by the ASP.Net engine. The "__EVENTARGUMEN T" field is
populated with (if any) data that is passed along, in much the same way that
typical executable events pass Event Arguments. For most controls, this
field is not populated.
The ViewState is stored in another hidden HTML for field:
<input type="hidden" name="__VIEWSTA TE" value="dDwtOT.. ." />
The data in the ViewState is compressed, and looks like gibberish, except to
the ASP.Net engine.
Upon PostBack, during the *LoadViewState* Event Handler method, the
ViewState is read, to prepare for restoring the Controls that will be
rebuilt to the state they were in during the previous Request.
All of the HTML form field values are read during the *LoadPostData* Event
Handler method of the page, providing the current client-side state of the
Page and Controls in it.
The *Load* method re-creates all of the Controls in the Page (including the
Page), and sets them to the state they were in during the previous Request.
Next, PostBack changes are processed by the Page and Controls in the page,
via the *RaisePostBackC hangedEvent* method of the Page. This is where the
data in the form is compared with the PostBack data. Change events are fired
for Controls that have had their state changed, and have event handlers
specified to handle the Change event for those Controls. These events are
also handled at this time.
After that, the* RaisePostBackEv ent* method is executed, which handles the
client-side event that caused the PostBack. At this point, the event-related
form field values are read, and an event is created, which is processed by
the affected Control's event handler for that event.
The *PreRender* event is executed next, which handles any additional
housekeeping that may be needed, and any code that the developer has defined
for additional pre-render processing. Sometimes changes must be made after
all of the current changes and events have been processed. This is the app's
last chance to do this.
The *SaveState* method saves the current client state of the Page to the
ViewState.
And finally, the page is *Render*ed to the browser.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message
news:eF******** ******@TK2MSFTN GP12.phx.gbl... Thanks for that reply.
In essence, we are saying that it is technically possible, but highly unlikely that a hacker would go to these lengths. At least not unless the information contained was so inviting as to entice the would-be hacker to have ago.
the would-be hacker). These controls use JavaScript to send information about themselves in hidden form fields back to the server. So, the first
What information would it be ?, I guess its some sort of context mapping which tells the server which server control is being mapped to which client side field etc ???
Thanks again for taking the time to reply. I guess when I'm designing systems I like to think from the hackers point of view as much as possible. I suppose that says something about my mind set, but I would like to think its from a defensive and positive point of view rather than from a criminality angle!
Cheers - Mr Newbie . . .
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. Yo Mr. Newbie,
Will this activate the Server side click event for this button regardless of if it has been displayed or not ?
No it will not. It would require a great deal of skill to accomplish something like this, if you do it correctly. That is, use an HtmlInputButton Control or a Button WebControl (used as a Command Button would be best, as this does not create a Submit button, and makes the job more difficult for the would-be hacker). These controls use JavaScript to send information about themselves in hidden form fields back to the server. So, the first obstacle for Sarah would be not only to add a Delete button the the HTML, but also to add the appropriate information into the hidden form fields. She would also have to enter the correct information into the hidden ViewState form field, in order to trick the server into reproducing the Page class and Controls as if its previous state had included the button. This is because HTTP is stateless. The server relies on the Request coming from the client to reproduce its State if the Page is posted back. It has to build the Page from scratch with each Request.
Sarah's only resort would be to get on to the computer right after John has loaded the page in the state she wants, and to copy the HTML to another file she could hide somewhere. Then, when John is gone, she could pull up the page with John's information in it, and merge the HTML to create the state she needs. Of course, this could be accounted for by a clever developer as well.
In short, using Server Controls would indeed be your best bet.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message news:O6******** ******@tk2msftn gp13.phx.gbl... OK, thanks for the reply. I do intend to use access control but I think perhaps I didnt make myself clear enough.
Lets say that we have two users 'Jon' and 'Sarah'. John may delete anything but 'Sarah' may only delete her own work.
Before the form is rendered, the control logic determines that this document belongs to 'Jon' but that it is 'Sarah' who has opened it. Therfore the logic sets the Visible property of the 'Delete' button to False so it is not rendered to the client.
However, 'Sarah' is feeling evil today and decides to enter the tags she's seen before on her own documents and loads the page, or at least somehow manages to add this object into the document displayed and invoke its click event
Will this activate the Server side click event for this button regardless of if it has been displayed or not ?
Regards Mr Newbie . . .
"John Timney ( MVP )" <ti*****@despam med.com> wrote in message news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. no - hiding is not enough,as someone could simply reconstruct your hidden elemtns.
At the least you need to use some form of access control, to verify who the logged in user user is and then display the controls or not based on that role.
-- Regards
John Timney ASP.NET MVP Microsoft Regional Director
"Mr Newbie" <he**@now.com > wrote in message news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. >I was thinking about developing a workflow application yesterday and >was musing over the different approaches than one could take in >restrictin g specific actions on a ticket( Form ) at any said stage. > > One approach I have used on other systems is to prevent the action > buttons appearing. For example, if one did not have the Role of > Administrator, one would be prevented from deleting a ticket not > created by oneself. > > However, it did occur to me that there was a possibility of manually > constructing the button code in the page which has been rendered to > the client. > > If you have a button which was visible=false ( Not HTML hidden ), then > would it be possible to invoke the backend function by manually adding > the tag/id etc for this button ? > > I guess I could experiement, but I wondered if there was an instant > answer available ? > -- > Best Regards > > The Inimitable Mr Newbie º¿º >
Thanks for your reply. <input type="hidden" name="__EVENTTA RGET" value="" /> <input type="hidden" name="__EVENTAR GUMENT" value="" />
The "__EVENTTAR GET" field is populated with the client ID of the Control that causes the event, via a JavaScript client-side event handler inserted into the HTML form tag by the ASP.Net engine. The "__EVENTARGUMEN T" field is populated with (if any) data that is passed along, in much the same way that typical executable events pass Event Arguments. For most controls, this field is not populated.
I dont see these two fields in my rendered output. Or any obvious insertion
into the <Form> tag. Below is a sample form, so I'm not sure where I am
going wrong here.
<form name="Form1" method="post" action="WebForm 2.aspx" id="Form1">
Regards - Mr Newbie
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<title>WebForm2 </title>
<meta name="GENERATOR " content="Micros oft Visual Studio .NET 7.1">
<meta name="CODE_LANG UAGE" content="Visual Basic .NET 7.1">
<meta name="vs_defaul tClientScript" content="JavaSc ript">
<meta name="vs_target Schema"
content="http://schemas.microso ft.com/intellisense/ie5">
</HEAD>
<body MS_POSITIONING= "GridLayout ">
<form name="Form1" method="post" action="WebForm 2.aspx" id="Form1">
<input type="hidden" name="__VIEWSTA TE"
value="dDwtMTE1 NTQwNjg2NTs7Pvc zoUrHH4pklZ9uEL F+TO+dJV7q" />
<input type="submit" name="Button1" value="Button" id="Button1"
style="Z-INDEX: 101; LEFT: 40px; POSITION: absolute; TOP: 136px" />
<input type="submit" name="Button2" value="Button" id="Button2"
style="Z-INDEX: 102; LEFT: 40px; POSITION: absolute; TOP: 184px" />
<input name="TextBox1" type="text" id="TextBox1" style="Z-INDEX: 103;
LEFT: 32px; POSITION: absolute; TOP: 24px" />
<input name="TextBox2" type="text" id="TextBox2" style="Z-INDEX: 104;
LEFT: 40px; POSITION: absolute; TOP: 72px" />
</form>
</body>
</HTML>
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:ud******** ******@TK2MSFTN GP15.phx.gbl... Hi Inimitable,
I like the way you like to think when designing!
In answer to your question, and in anticipation of similar follow-up questions:
Basically, ASP.Net creates 2 hidden HTML form fields for server-side event handling:
<input type="hidden" name="__EVENTTA RGET" value="" /> <input type="hidden" name="__EVENTAR GUMENT" value="" />
The "__EVENTTAR GET" field is populated with the client ID of the Control that causes the event, via a JavaScript client-side event handler inserted into the HTML form tag by the ASP.Net engine. The "__EVENTARGUMEN T" field is populated with (if any) data that is passed along, in much the same way that typical executable events pass Event Arguments. For most controls, this field is not populated.
The ViewState is stored in another hidden HTML for field:
<input type="hidden" name="__VIEWSTA TE" value="dDwtOT.. ." />
The data in the ViewState is compressed, and looks like gibberish, except to the ASP.Net engine.
Upon PostBack, during the *LoadViewState* Event Handler method, the ViewState is read, to prepare for restoring the Controls that will be rebuilt to the state they were in during the previous Request.
All of the HTML form field values are read during the *LoadPostData* Event Handler method of the page, providing the current client-side state of the Page and Controls in it.
The *Load* method re-creates all of the Controls in the Page (including the Page), and sets them to the state they were in during the previous Request.
Next, PostBack changes are processed by the Page and Controls in the page, via the *RaisePostBackC hangedEvent* method of the Page. This is where the data in the form is compared with the PostBack data. Change events are fired for Controls that have had their state changed, and have event handlers specified to handle the Change event for those Controls. These events are also handled at this time.
After that, the* RaisePostBackEv ent* method is executed, which handles the client-side event that caused the PostBack. At this point, the event-related form field values are read, and an event is created, which is processed by the affected Control's event handler for that event.
The *PreRender* event is executed next, which handles any additional housekeeping that may be needed, and any code that the developer has defined for additional pre-render processing. Sometimes changes must be made after all of the current changes and events have been processed. This is the app's last chance to do this.
The *SaveState* method saves the current client state of the Page to the ViewState.
And finally, the page is *Render*ed to the browser.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message news:eF******** ******@TK2MSFTN GP12.phx.gbl... Thanks for that reply.
In essence, we are saying that it is technically possible, but highly unlikely that a hacker would go to these lengths. At least not unless the information contained was so inviting as to entice the would-be hacker to have ago.
the would-be hacker). These controls use JavaScript to send information about themselves in hidden form fields back to the server. So, the first
What information would it be ?, I guess its some sort of context mapping which tells the server which server control is being mapped to which client side field etc ???
Thanks again for taking the time to reply. I guess when I'm designing systems I like to think from the hackers point of view as much as possible. I suppose that says something about my mind set, but I would like to think its from a defensive and positive point of view rather than from a criminality angle!
Cheers - Mr Newbie . . .
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. Yo Mr. Newbie,
Will this activate the Server side click event for this button regardless of if it has been displayed or not ?
No it will not. It would require a great deal of skill to accomplish something like this, if you do it correctly. That is, use an HtmlInputButton Control or a Button WebControl (used as a Command Button would be best, as this does not create a Submit button, and makes the job more difficult for the would-be hacker). These controls use JavaScript to send information about themselves in hidden form fields back to the server. So, the first obstacle for Sarah would be not only to add a Delete button the the HTML, but also to add the appropriate information into the hidden form fields. She would also have to enter the correct information into the hidden ViewState form field, in order to trick the server into reproducing the Page class and Controls as if its previous state had included the button. This is because HTTP is stateless. The server relies on the Request coming from the client to reproduce its State if the Page is posted back. It has to build the Page from scratch with each Request.
Sarah's only resort would be to get on to the computer right after John has loaded the page in the state she wants, and to copy the HTML to another file she could hide somewhere. Then, when John is gone, she could pull up the page with John's information in it, and merge the HTML to create the state she needs. Of course, this could be accounted for by a clever developer as well.
In short, using Server Controls would indeed be your best bet.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message news:O6******** ******@tk2msftn gp13.phx.gbl... OK, thanks for the reply. I do intend to use access control but I think perhaps I didnt make myself clear enough.
Lets say that we have two users 'Jon' and 'Sarah'. John may delete anything but 'Sarah' may only delete her own work.
Before the form is rendered, the control logic determines that this document belongs to 'Jon' but that it is 'Sarah' who has opened it. Therfore the logic sets the Visible property of the 'Delete' button to False so it is not rendered to the client.
However, 'Sarah' is feeling evil today and decides to enter the tags she's seen before on her own documents and loads the page, or at least somehow manages to add this object into the document displayed and invoke its click event
Will this activate the Server side click event for this button regardless of if it has been displayed or not ?
Regards Mr Newbie . . .
"John Timney ( MVP )" <ti*****@despam med.com> wrote in message news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. > no - hiding is not enough,as someone could simply reconstruct your > hidden elemtns. > > At the least you need to use some form of access control, to verify > who the logged in user user is and then display the controls or not > based on that role. > > -- > Regards > > John Timney > ASP.NET MVP > Microsoft Regional Director > > "Mr Newbie" <he**@now.com > wrote in message > news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. >>I was thinking about developing a workflow application yesterday and >>was musing over the different approaches than one could take in >>restricti ng specific actions on a ticket( Form ) at any said stage. >> >> One approach I have used on other systems is to prevent the action >> buttons appearing. For example, if one did not have the Role of >> Administrator, one would be prevented from deleting a ticket not >> created by oneself. >> >> However, it did occur to me that there was a possibility of manually >> constructing the button code in the page which has been rendered to >> the client. >> >> If you have a button which was visible=false ( Not HTML hidden ), >> then would it be possible to invoke the backend function by manually >> adding the tag/id etc for this button ? >> >> I guess I could experiement, but I wondered if there was an instant >> answer available ? >> -- >> Best Regards >> >> The Inimitable Mr Newbie º¿º >> > >
Further investegation seems to indicate that these hidden fields only appear
when controls such as textboxes etc, have he Autopostback=tr ue
If one has two buttons only , or the other controls do not have
autopostback=tr ue, then these are not generated. I can only conclude that
the submitting button is sent along with the request header in this case as
usual.
I (guess) this is because when the form is submitted indirectly by controls
which could not normally cause a post, and therfore some other means of
recording the initiating event has to be provided for the server side logic.
I may be wrong, but it's good enough as a theory to be either validated or
burnt during debate.
--
Best Regards
The Inimitable Mr Newbie º¿º
"Mr Newbie" <he**@now.com > wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. Thanks for your reply.
<input type="hidden" name="__EVENTTA RGET" value="" /> <input type="hidden" name="__EVENTAR GUMENT" value="" />
The "__EVENTTAR GET" field is populated with the client ID of the Control that causes the event, via a JavaScript client-side event handler inserted into the HTML form tag by the ASP.Net engine. The "__EVENTARGUMEN T" field is populated with (if any) data that is passed along, in much the same way that typical executable events pass Event Arguments. For most controls, this field is not populated.
I dont see these two fields in my rendered output. Or any obvious insertion into the <Form> tag. Below is a sample form, so I'm not sure where I am going wrong here.
<form name="Form1" method="post" action="WebForm 2.aspx" id="Form1">
Regards - Mr Newbie
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>WebForm2 </title> <meta name="GENERATOR " content="Micros oft Visual Studio .NET 7.1"> <meta name="CODE_LANG UAGE" content="Visual Basic .NET 7.1"> <meta name="vs_defaul tClientScript" content="JavaSc ript"> <meta name="vs_target Schema" content="http://schemas.microso ft.com/intellisense/ie5"> </HEAD> <body MS_POSITIONING= "GridLayout "> <form name="Form1" method="post" action="WebForm 2.aspx" id="Form1"> <input type="hidden" name="__VIEWSTA TE" value="dDwtMTE1 NTQwNjg2NTs7Pvc zoUrHH4pklZ9uEL F+TO+dJV7q" />
<input type="submit" name="Button1" value="Button" id="Button1" style="Z-INDEX: 101; LEFT: 40px; POSITION: absolute; TOP: 136px" /> <input type="submit" name="Button2" value="Button" id="Button2" style="Z-INDEX: 102; LEFT: 40px; POSITION: absolute; TOP: 184px" /> <input name="TextBox1" type="text" id="TextBox1" style="Z-INDEX: 103; LEFT: 32px; POSITION: absolute; TOP: 24px" /> <input name="TextBox2" type="text" id="TextBox2" style="Z-INDEX: 104; LEFT: 40px; POSITION: absolute; TOP: 72px" /> </form> </body> </HTML>
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message news:ud******** ******@TK2MSFTN GP15.phx.gbl... Hi Inimitable,
I like the way you like to think when designing!
In answer to your question, and in anticipation of similar follow-up questions:
Basically, ASP.Net creates 2 hidden HTML form fields for server-side event handling:
<input type="hidden" name="__EVENTTA RGET" value="" /> <input type="hidden" name="__EVENTAR GUMENT" value="" />
The "__EVENTTAR GET" field is populated with the client ID of the Control that causes the event, via a JavaScript client-side event handler inserted into the HTML form tag by the ASP.Net engine. The "__EVENTARGUMEN T" field is populated with (if any) data that is passed along, in much the same way that typical executable events pass Event Arguments. For most controls, this field is not populated.
The ViewState is stored in another hidden HTML for field:
<input type="hidden" name="__VIEWSTA TE" value="dDwtOT.. ." />
The data in the ViewState is compressed, and looks like gibberish, except to the ASP.Net engine.
Upon PostBack, during the *LoadViewState* Event Handler method, the ViewState is read, to prepare for restoring the Controls that will be rebuilt to the state they were in during the previous Request.
All of the HTML form field values are read during the *LoadPostData* Event Handler method of the page, providing the current client-side state of the Page and Controls in it.
The *Load* method re-creates all of the Controls in the Page (including the Page), and sets them to the state they were in during the previous Request.
Next, PostBack changes are processed by the Page and Controls in the page, via the *RaisePostBackC hangedEvent* method of the Page. This is where the data in the form is compared with the PostBack data. Change events are fired for Controls that have had their state changed, and have event handlers specified to handle the Change event for those Controls. These events are also handled at this time.
After that, the* RaisePostBackEv ent* method is executed, which handles the client-side event that caused the PostBack. At this point, the event-related form field values are read, and an event is created, which is processed by the affected Control's event handler for that event.
The *PreRender* event is executed next, which handles any additional housekeeping that may be needed, and any code that the developer has defined for additional pre-render processing. Sometimes changes must be made after all of the current changes and events have been processed. This is the app's last chance to do this.
The *SaveState* method saves the current client state of the Page to the ViewState.
And finally, the page is *Render*ed to the browser.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message news:eF******** ******@TK2MSFTN GP12.phx.gbl... Thanks for that reply.
In essence, we are saying that it is technically possible, but highly unlikely that a hacker would go to these lengths. At least not unless the information contained was so inviting as to entice the would-be hacker to have ago.
the would-be hacker). These controls use JavaScript to send information about themselves in hidden form fields back to the server. So, the first
What information would it be ?, I guess its some sort of context mapping which tells the server which server control is being mapped to which client side field etc ???
Thanks again for taking the time to reply. I guess when I'm designing systems I like to think from the hackers point of view as much as possible. I suppose that says something about my mind set, but I would like to think its from a defensive and positive point of view rather than from a criminality angle!
Cheers - Mr Newbie . . .
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. Yo Mr. Newbie,
> Will this activate the Server side click event for this button > regardless of if it has been displayed or not ?
No it will not. It would require a great deal of skill to accomplish something like this, if you do it correctly. That is, use an HtmlInputButton Control or a Button WebControl (used as a Command Button would be best, as this does not create a Submit button, and makes the job more difficult for the would-be hacker). These controls use JavaScript to send information about themselves in hidden form fields back to the server. So, the first obstacle for Sarah would be not only to add a Delete button the the HTML, but also to add the appropriate information into the hidden form fields. She would also have to enter the correct information into the hidden ViewState form field, in order to trick the server into reproducing the Page class and Controls as if its previous state had included the button. This is because HTTP is stateless. The server relies on the Request coming from the client to reproduce its State if the Page is posted back. It has to build the Page from scratch with each Request.
Sarah's only resort would be to get on to the computer right after John has loaded the page in the state she wants, and to copy the HTML to another file she could hide somewhere. Then, when John is gone, she could pull up the page with John's information in it, and merge the HTML to create the state she needs. Of course, this could be accounted for by a clever developer as well.
In short, using Server Controls would indeed be your best bet.
-- HTH,
Kevin Spencer Microsoft MVP .Net Developer A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message news:O6******** ******@tk2msftn gp13.phx.gbl... > OK, thanks for the reply. I do intend to use access control but I > think perhaps I didnt make myself clear enough. > > Lets say that we have two users 'Jon' and 'Sarah'. John may delete > anything but 'Sarah' may only delete her own work. > > Before the form is rendered, the control logic determines that this > document belongs to 'Jon' but that it is 'Sarah' who has opened it. > Therfore the logic sets the Visible property of the 'Delete' button > to False so it is not rendered to the client. > > However, 'Sarah' is feeling evil today and decides to enter the tags > she's seen before on her own documents and loads the page, or at least > somehow manages to add this object into the document displayed and > invoke its click event > > Will this activate the Server side click event for this button > regardless of if it has been displayed or not ? > > Regards Mr Newbie . . . > > > "John Timney ( MVP )" <ti*****@despam med.com> wrote in message > news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. >> no - hiding is not enough,as someone could simply reconstruct your >> hidden elemtns. >> >> At the least you need to use some form of access control, to verify >> who the logged in user user is and then display the controls or not >> based on that role. >> >> -- >> Regards >> >> John Timney >> ASP.NET MVP >> Microsoft Regional Director >> >> "Mr Newbie" <he**@now.com > wrote in message >> news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. >>>I was thinking about developing a workflow application yesterday and >>>was musing over the different approaches than one could take in >>>restrict ing specific actions on a ticket( Form ) at any said stage. >>> >>> One approach I have used on other systems is to prevent the action >>> buttons appearing. For example, if one did not have the Role of >>> Administrator, one would be prevented from deleting a ticket not >>> created by oneself. >>> >>> However, it did occur to me that there was a possibility of manually >>> constructing the button code in the page which has been rendered to >>> the client. >>> >>> If you have a button which was visible=false ( Not HTML hidden ), >>> then would it be possible to invoke the backend function by manually >>> adding the tag/id etc for this button ? >>> >>> I guess I could experiement, but I wondered if there was an instant >>> answer available ? >>> -- >>> Best Regards >>> >>> The Inimitable Mr Newbie º¿º >>> >> >> > >
you are correct to be worried about this. asp.net has added more security
checking for these cases, but you never have enough.
hacking asp.net pages is very easy, as the html protocol is well known. to
hack
all you need is notepad and a browser. using firefox or an IE addin really
helps. you hackers hiots the site and get a list of postback field values by
viewing source, info on firefox will list forms and their fields, IE addins
do the same.
once you have the field you make an html file:
<form method=post action="url of site to attack" >
used by auto postback - fill in control name to fake control post
<input type=hidden name="__EVENTTA RGET" value="">
<input type=hidden name="__EVENTAR GUMENT" value="">
magical viewstate - copy value from view source of actual browse
<input type=hidden name="__VIEWSTA TE" value="">
add any field values to post back setting name to the control name,
value = to value to post back
<input type=hidden name="field1nam e" value="my value">
to postback a button, say your delete
<input type=hidden name="deletebut tonname" value="submit">
</form>
<script>documen t.forms[0].submit();</script>
just load the html in the browser, and it will do the atack. you should try
this on your site, should be easy.
you should have all BI logic re-verify the permissions. i use stored procs,
and have the procs recheck also.
-- bruce (sqlwork.com)
"Mr Newbie" <he**@now.com > wrote in message
news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of Administrator, one would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually constructing the button code in the page which has been rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ), then would it be possible to invoke the backend function by manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer available ? -- Best Regards
The Inimitable Mr Newbie º¿º
Thanks for the input Bruce,
I get paranoid about security when designing anything for a client because
if you get it wrong as a freelance/contractor, you really don't want to be
on the receiving end of any law suit, professional indemnity or not, its not
a good position to be in.
I am going to try this out in the next couple of days when I get a minute as
I thinks it's worth some further investigation and report my findings back
to the group/thread.
--
Best Regards
The Inimitable Mr Newbie º¿º
-------------------------------------------------------------
"Bruce Barker" <br************ ******@safeco.c om> wrote in message
news:Oz******** ******@TK2MSFTN GP12.phx.gbl... you are correct to be worried about this. asp.net has added more security checking for these cases, but you never have enough.
hacking asp.net pages is very easy, as the html protocol is well known. to hack
all you need is notepad and a browser. using firefox or an IE addin really helps. you hackers hiots the site and get a list of postback field values by viewing source, info on firefox will list forms and their fields, IE addins do the same.
once you have the field you make an html file:
<form method=post action="url of site to attack" >
used by auto postback - fill in control name to fake control post
<input type=hidden name="__EVENTTA RGET" value=""> <input type=hidden name="__EVENTAR GUMENT" value="">
magical viewstate - copy value from view source of actual browse
<input type=hidden name="__VIEWSTA TE" value="">
add any field values to post back setting name to the control name, value = to value to post back
<input type=hidden name="field1nam e" value="my value">
to postback a button, say your delete
<input type=hidden name="deletebut tonname" value="submit">
</form> <script>documen t.forms[0].submit();</script>
just load the html in the browser, and it will do the atack. you should try this on your site, should be easy.
you should have all BI logic re-verify the permissions. i use stored procs, and have the procs recheck also.
-- bruce (sqlwork.com)
"Mr Newbie" <he**@now.com > wrote in message news:%2******** ********@TK2MSF TNGP09.phx.gbl. ..I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of Administrator, one would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually constructing the button code in the page which has been rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ), then would it be possible to invoke the backend function by manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer available ? -- Best Regards
The Inimitable Mr Newbie º¿º
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Ben |
last post by:
I have a form for data entry which is in a table. I have a select box
to enter a customer name, which takes it's options from the customer
database. I have a button to add a new customer. What I want is for the
relevant customer fields to magically appear underneath the selelect
box
when the "add customer button" is pressed. For some reason my code is
NOT
working. Have been trying to do it with div tags and style sheets using
a...
|
by: Bob Weiner |
last post by:
What is the purpose of hiding intead of overriding a method? I have googled
the question but haven't found anything that makes any sense of it.
In the code below, the only difference is that when the Poodle is upcast to
the Dog (in its wildest dreams) it then says "bow wow" where the bernard
always says "woof" (see code). Basically, it appears that I'm hiding the
poodle's speak method from everything except the poodle.
Why would I...
|
by: Doug |
last post by:
Looking for opinions/suggestions:
Suppose I have a "region" of an aspx page I want to hide or show based on
whatever runtime conditions. Additionally, the entire region is defined by
an HTML <TABLE>. There is nothing else in the region beyond whatever is
contained in the <TABLE>.
I see at least two options for showing/hiding this region.
1. Wrap the table in an <ASP:Panel> and set the panel's Visible property to
|
by: abcd |
last post by:
I have 3 controls placed in a table in each row
Row1 --> DropDownlist Web server control
Row2 --> Text box control
Row3--> list box control
Row 4--> update and delete buttons
each control has associated lable control too.
my Question:-
|
by: Alex |
last post by:
Hello all,
I have a main form(say "form1") .i want to display another form(say
"form2") on occuring of an event (say a button click) and want to hide
it after some time so that it will again displays while occuring of the
same event.I develop it by creating an object of the form2 and
displays it in the event by calling form2.Show() and hide it by calling
form2.Hide().
the problem is that while displaying the form2 the memory usage of...
| |
by: =?Utf-8?B?QWxleA==?= |
last post by:
I have 3 Update Panels on my page. On Page load, UpdatePanels 2 and 3 are
hidden. When I click a button in UpdatePanel1, I display the other two
UpdatePanels and their contents.
UpdatePanel 2 has an server-side button that when clicked, it needs to
reference controls in UpdatePanel3 and perform some functions on the server.
Since UpdatePanel2 and 3 weren't included in the original page, clicking the
button in UpdatePanel 2 doesn't do...
|
by: Sh4wn |
last post by:
Hi,
first, python is one of my fav languages, and i'll definitely keep
developing with it. But, there's 1 one thing what I -really- miss:
data hiding. I know member vars are private when you prefix them with
2 underscores, but I hate prefixing my vars, I'd rather add a keyword
before it.
Python advertises himself as a full OOP language, but why does it miss
one of the basic principles of OOP? Will it ever be added to python?
|
by: Frinavale |
last post by:
This question may seem a bit newbie-ish but I'm new to desktop applications...please bear with me.
I have a function that populates a ComboBox with a bunch of names.
To populate it I have to make a function call to an external class library (which is poorly designed) many many times (512 to be exact)....you can see that this will take a while.
After populating the ComboBox I initialize a user control which displays details about the first...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |