I was thinking about developing a workflow application yesterday and was
musing over the different approaches than one could take in restricting
specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons
appearing. For example, if one did not have the Role of Administrator, one
would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually
constructing the button code in the page which has been rendered to the
client.
If you have a button which was visible=false ( Not HTML hidden ), then would
it be possible to invoke the backend function by manually adding the tag/id
etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer
available ?
--
Best Regards
The Inimitable Mr Newbie º¿º
Nov 19 '05
22 2192
Hey, I liked it! But although I certainly referenced the film, I was more
intrigued with the central philosophical idea that it proposed, which was
that the Kingdom of Heaven is not something of this world, but in the hearts
and minds of those who commit to doing good to all at all times, and strive
to achieve that purpose.
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
A watched clock never boils.
"John Timney ( MVP )" <ti*****@despam med.com> wrote in message
news:%2******** *******@TK2MSFT NGP15.phx.gbl.. . not that really bad movie I hope.......lol
-- Regards
John Timney ASP.NET MVP Microsoft Regional Director
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message news:%2******** ********@TK2MSF TNGP15.phx.gbl. .. I often muse over what the outcome would be or not if we were to co-ordinate world efforts using the total sum of mental end physical energy expended on stopping people behaving in a manner other than in alignment of the common good.
The outcome would be the Kingdom of Heaven!
-- :-D,
Kevin Spencer Microsoft MVP .Net Developer A watched clock never boils.
"Mr Newbie" <he**@now.com > wrote in message news:Oc******** ******@TK2MSFTN GP10.phx.gbl... Thanks John,
By the way, what is your region ?
Yes, I have done a little with ASP.NET 2.0 Personalisation and Membership, so I am aware of some of the basics, however, I think that one has to assume there is a loopholes and try ones best to find them before someone finds them for you.
Thanks for your replies; it all goes into my internal cookbook for future reference. As I said in another reply in the same thread, its just a pity that mankind has to expend so much energy to ensure the defeat of our shortcomings (Criminal Elements).
I often muse over what the outcome would be or not if we were to co-ordinate world efforts using the total sum of mental end physical energy expended on stopping people behaving in a manner other than in alignment of the common good.
I know that's a bit philosophical for this newsgroup, but what the hey !
-- Best Regards
The Inimitable Mr Newbie º¿º
----------------------------------------------------
"John Timney ( MVP )" <ti*****@despam med.com> wrote in message news:uO******** ******@TK2MSFTN GP09.phx.gbl... its worth reading up on the net2 membership and login controls to undertand where you can better apply security.
http://beta.asp.net/QUICKSTART/aspne...y/default.aspx
The problem wth just hiding controls is that their server events may still be accessible as you have found. You need to ensure that fucntionality is not avaialbale regardless of the interface requesting the methods - technically you need to render the methods inaccessible based on a users authorised role in your application.
-- Regards
John Timney ASP.NET MVP Microsoft Regional Director
"Mr Newbie" <he**@now.com > wrote in message news:Od******** *******@TK2MSFT NGP10.phx.gbl.. . > Actually I just tested it. You CAN make the server invoke a button > which was made visible=false. I just used the method you prescribed > and it does work 'Unfortunately' . > > OK, well thats one method I definately will avoid. And I will have to > be more vigilant in my methods of ensuring security is maintained. > > Thanks. > > -- > Best Regards > > The Inimitable Mr Newbie º¿º > > > > "Mr Newbie" <he**@now.com > wrote in message > news:%2******** **********@TK2M SFTNGP12.phx.gb l... >> Thanks for the input Bruce, >> >> I get paranoid about security when designing anything for a client >> because if you get it wrong as a freelance/contractor, you really >> don't want to be on the receiving end of any law suit, professional >> indemnity or not, its not a good position to be in. >> >> I am going to try this out in the next couple of days when I get a >> minute as I thinks it's worth some further investigation and report >> my findings back to the group/thread. >> >> -- >> Best Regards >> >> The Inimitable Mr Newbie º¿º >> >> ------------------------------------------------------------- >> >> "Bruce Barker" <br************ ******@safeco.c om> wrote in message >> news:Oz******** ******@TK2MSFTN GP12.phx.gbl... >>> you are correct to be worried about this. asp.net has added more >>> security checking for these cases, but you never have enough. >>> >>> hacking asp.net pages is very easy, as the html protocol is well >>> known. to hack >>> >>> all you need is notepad and a browser. using firefox or an IE addin >>> really helps. you hackers hiots the site and get a list of postback >>> field values by viewing source, info on firefox will list forms and >>> their fields, IE addins do the same. >>> >>> once you have the field you make an html file: >>> >>> <form method=post action="url of site to attack" > >>> >>> used by auto postback - fill in control name to fake control post >>> >>> <input type=hidden name="__EVENTTA RGET" value=""> >>> <input type=hidden name="__EVENTAR GUMENT" value=""> >>> >>> magical viewstate - copy value from view source of actual browse >>> >>> <input type=hidden name="__VIEWSTA TE" value=""> >>> >>> add any field values to post back setting name to the control >>> name, value = to value to post back >>> >>> <input type=hidden name="field1nam e" value="my value"> >>> >>> to postback a button, say your delete >>> >>> <input type=hidden name="deletebut tonname" value="submit"> >>> >>> </form> >>> <script>documen t.forms[0].submit();</script> >>> >>> just load the html in the browser, and it will do the atack. you >>> should try this on your site, should be easy. >>> >>> you should have all BI logic re-verify the permissions. i use stored >>> procs, and have the procs recheck also. >>> >>> -- bruce (sqlwork.com) >>> >>> >>> >>> >>> >>> "Mr Newbie" <he**@now.com > wrote in message >>> news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. >>>>I was thinking about developing a workflow application yesterday and >>>>was musing over the different approaches than one could take in >>>>restric ting specific actions on a ticket( Form ) at any said stage. >>>> >>>> One approach I have used on other systems is to prevent the action >>>> buttons appearing. For example, if one did not have the Role of >>>> Administrator, one would be prevented from deleting a ticket not >>>> created by oneself. >>>> >>>> However, it did occur to me that there was a possibility of >>>> manually constructing the button code in the page which has been >>>> rendered to the client. >>>> >>>> If you have a button which was visible=false ( Not HTML hidden ), >>>> then would it be possible to invoke the backend function by >>>> manually adding the tag/id etc for this button ? >>>> >>>> I guess I could experiement, but I wondered if there was an instant >>>> answer available ? >>>> -- >>>> Best Regards >>>> >>>> The Inimitable Mr Newbie º¿º >>>> >>> >>> >> >> > >
Hiding is not good for this - each event handler has to explicitly check,
whether invoker is allowed to do the action ! When attack happen - log it,
but to attacker do no action (just ignore it).
Hiding is good for very only thing - show different contents to diferent
viewers - this is safe.
There is another qutesion: how to verify identity through the session: after
checking the passwords, placing correct flag to Session or to User.Identity
should be good enough.
For banking-level security this should not be considered to be enough.
Pazu
"Mr Newbie" wrote: I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of Administrator, one would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually constructing the button code in the page which has been rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ), then would it be possible to invoke the backend function by manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer available ? -- Best Regards
The Inimitable Mr Newbie º¿º
Thanks Pazu.
I think we have this one covered now. I have a useful link here you may like
to read, I found it interesting. http://msdn.microsoft.com/library/de...tybarriers.asp
--
Best Regards
The Inimitable Mr Newbie º¿º
"Pazu" <Pa**@discussio ns.microsoft.co m> wrote in message
news:AF******** *************** ***********@mic rosoft.com... Hiding is not good for this - each event handler has to explicitly check, whether invoker is allowed to do the action ! When attack happen - log it, but to attacker do no action (just ignore it).
Hiding is good for very only thing - show different contents to diferent viewers - this is safe.
There is another qutesion: how to verify identity through the session: after checking the passwords, placing correct flag to Session or to User.Identity should be good enough.
For banking-level security this should not be considered to be enough.
Pazu
"Mr Newbie" wrote:
I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of Administrator, one would be prevented from deleting a ticket not created by oneself.
However, it did occur to me that there was a possibility of manually constructing the button code in the page which has been rendered to the client.
If you have a button which was visible=false ( Not HTML hidden ), then would it be possible to invoke the backend function by manually adding the tag/id etc for this button ?
I guess I could experiement, but I wondered if there was an instant answer available ? -- Best Regards
The Inimitable Mr Newbie º¿º This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Ben |
last post by:
I have a form for data entry which is in a table. I have a select box
to enter a customer name, which takes it's options from the customer
database. I have a button to add a new customer. What I want is for the
relevant customer fields to magically appear underneath the selelect
box
when the "add customer button" is pressed. For some reason my code is
NOT
working. Have been trying to do it with div tags and style sheets using
a...
|
by: Bob Weiner |
last post by:
What is the purpose of hiding intead of overriding a method? I have googled
the question but haven't found anything that makes any sense of it.
In the code below, the only difference is that when the Poodle is upcast to
the Dog (in its wildest dreams) it then says "bow wow" where the bernard
always says "woof" (see code). Basically, it appears that I'm hiding the
poodle's speak method from everything except the poodle.
Why would I...
|
by: Doug |
last post by:
Looking for opinions/suggestions:
Suppose I have a "region" of an aspx page I want to hide or show based on
whatever runtime conditions. Additionally, the entire region is defined by
an HTML <TABLE>. There is nothing else in the region beyond whatever is
contained in the <TABLE>.
I see at least two options for showing/hiding this region.
1. Wrap the table in an <ASP:Panel> and set the panel's Visible property to
|
by: abcd |
last post by:
I have 3 controls placed in a table in each row
Row1 --> DropDownlist Web server control
Row2 --> Text box control
Row3--> list box control
Row 4--> update and delete buttons
each control has associated lable control too.
my Question:-
|
by: Alex |
last post by:
Hello all,
I have a main form(say "form1") .i want to display another form(say
"form2") on occuring of an event (say a button click) and want to hide
it after some time so that it will again displays while occuring of the
same event.I develop it by creating an object of the form2 and
displays it in the event by calling form2.Show() and hide it by calling
form2.Hide().
the problem is that while displaying the form2 the memory usage of...
| |
by: =?Utf-8?B?QWxleA==?= |
last post by:
I have 3 Update Panels on my page. On Page load, UpdatePanels 2 and 3 are
hidden. When I click a button in UpdatePanel1, I display the other two
UpdatePanels and their contents.
UpdatePanel 2 has an server-side button that when clicked, it needs to
reference controls in UpdatePanel3 and perform some functions on the server.
Since UpdatePanel2 and 3 weren't included in the original page, clicking the
button in UpdatePanel 2 doesn't do...
|
by: Sh4wn |
last post by:
Hi,
first, python is one of my fav languages, and i'll definitely keep
developing with it. But, there's 1 one thing what I -really- miss:
data hiding. I know member vars are private when you prefix them with
2 underscores, but I hate prefixing my vars, I'd rather add a keyword
before it.
Python advertises himself as a full OOP language, but why does it miss
one of the basic principles of OOP? Will it ever be added to python?
|
by: Frinavale |
last post by:
This question may seem a bit newbie-ish but I'm new to desktop applications...please bear with me.
I have a function that populates a ComboBox with a bunch of names.
To populate it I have to make a function call to an external class library (which is poorly designed) many many times (512 to be exact)....you can see that this will take a while.
After populating the ComboBox I initialize a user control which displays details about the first...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |