Hello,
Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.
For example, if you could have (pseudocode)...
void Page_Load(objec t o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}
Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.
Any comments?
--
Alan Silver
(anything added below this line is nothing to do with me)
5  1772 
Read this article, it will go a long way towards helping you understand some
of the pitfalls and workarounds. http://msdn.microsoft.com/library/de...tybarriers.asp
Best Regards
The Inimitable Mr Newbie º¿º
"Alan Silver" <al*********@no spam.thanx> wrote in message
news:OQ******** ******@nospamth ankyou.spam... Hello,
Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.
For example, if you could have (pseudocode)...
void Page_Load(objec t o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}
Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.
Any comments?
--
Alan Silver
(anything added below this line is nothing to do with me)
>Read this article, it will go a long way towards helping you understand some of the pitfalls and workarounds.
http://msdn.microsoft.com/library/de.../en-us/dnaspp/
html/securitybarrier s.asp
Thanks for the link. The article was useful, but still didn't address
the point I raised. If you had some way of checking that the postback
had come from the same server, you would avoid quite a number of the
attacks in the first place. Several of the ones mentioned involved
posting from another server. If you simply disallowed these, you would
cut out a number of possible attacks without any further work. Obviously
you would still have plenty to do protecting yourself from other kinds
of attack.
Which brings me back to my original question, is there a reliable way of
checking if the postback came from the same server?
Best Regards
The Inimitable Mr Newbie º¿º
"Alan Silver" <al*********@no spam.thanx> wrote in message
news:OQ******* *******@nospamt hankyou.spam... Hello,
Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.
For example, if you could have (pseudocode)...
void Page_Load(objec t o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}
Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.
Any comments?
--
Alan Silver
(anything added below this line is nothing to do with me)
--
Alan Silver
(anything added below this line is nothing to do with me)
> Which brings me back to my original question, is there a reliable way of checking if the postback came from the same server?
I assume you are aware of the eventvalidation feature of ASP.NET 2.0 ?
Event validation ensures the postback comes from the control that orginally
rendered it, meaning for example that if you have a datagrid with edit buttons
and those buttons are wired into calling "ItemEdit" it will validate the events
to make sure it came from the control that orginally rendered it.
This is not really 100% but it goes a long way to protect against the type
of attacks you are talking about.
PL.
>> Which brings me back to my original question, is there a reliable way of checking if the postback came from the same server?
I assume you are aware of the eventvalidation feature of ASP.NET 2.0 ?
You assume incorrectly!! I am ignorant ;-)
Event validation ensures the postback comes from the control that orginally
rendered it, meaning for example that if you have a datagrid with edit buttons
and those buttons are wired into calling "ItemEdit" it will validate the events
to make sure it came from the control that orginally rendered it.
If so, how do the attacks that rely on saving a page, modifying it and
posting back from another server work? Surely the eventvalidation would
catch this?
Or did I miss the point?
Actually, re-reading your words, it looks like the check is to ensure
that the event is called from the control that is supposed to call it.
If so, then it could easily be from another server, as long as the name
of the control in the saved page wasn't changed.
Or did I still miss the point?
This is not really 100% but it goes a long way to protect against the type
of attacks you are talking about.
I would be grateful if you could explain it a little more, as I'm not
very clear so far<g>
Also, is this something built in to ASP.NET, or do you have to do
something to enable it?
Thanks for the reply
--
Alan Silver
(anything added below this line is nothing to do with me)
> If so, how do the attacks that rely on saving a page, modifying it and posting back from another server work? Surely the eventvalidation would catch this?
If it's modified I think it will.
Actually, re-reading your words, it looks like the check is to ensure that the event is called from the control that is supposed
to call it. If so, then it could easily be from another server, as long as the name of the control in the saved page wasn't
changed.
I'm not 100% sure how it works but it puts a hidden field named
__EVENTVALIDATI ON in the form with a hash of the unique id's
from the controls rendered on the page.
This value is verified at postback, not sure what would happen if you save
the complete page and put it up on a separate server.
Also, is this something built in to ASP.NET, or do you have to do something to enable it?
It's new in ASP.NET 2.0 and turned on by default, to turn it off you use
<page enableEventVali dation="False"> in the web.config or put
enableEventVali dation="False" in the @Page tag for an individual page.
I'm having a hard time finding any good articles about this subject but
ASP.NET 2.0 is still just a few weeks old (RTM version).
PL. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Matt |
last post by:
I always see the term "postback" from ASP book, but I am not sure if I fully
understand the meaning. Here's my understanding so far, please correct me if
any mistakes.
Here's a typical html form:
<form action="process.asp" method="post">
'GUI code
</form>
"postback" action happens when the user click the submit button, that means
|
by: Xavier Osa |
last post by:
Hi,
I have an ASP.Net web page that you can download a file. As
Fergunson's problem, it prompts twice dialog boxes only if I select
Open button. If I select Save button, it prompts once.
I'm using W2000KS & IE6 sp1 & VS.NET 2003.
If I change method="post" by method="get" form attribute, it works
fine.
|
by: JezB |
last post by:
There are a few references on the net about how to restore a page's scroll
position over a postback. This is a simple one which works for me:
eg. http://www.devhood.com/messages/message_view-2.aspx?thread_id=104625
My question is : can the same thing be done to restore the scroll position
of a specific DIV within a page? I have a DIV section which scrolls
independently to the page :
<div style="vertical-align: top; height:200px;...
|
by: RAJ |
last post by:
In our multi-tier application, we have several ASP.NET user controls which
will update the same data source provided by middle tier logic.
In this particular scenario we have one user control displaying the contents
of the data source, whilst another control updates the datasource via a
command buttons implementation of 'Click', an event raised in the 'Handle
Postback Events' stage of the control execution life cycle (via the...
|
by: kaburke |
last post by:
Is there a way to make a page at the receiving end of a Server.Transfer
think that the request is a Postback? (When I say "think it is a Postback,"
I mean I want the page to go through the ENTIRE event sequence for a
postback, including LoadViewState, ProcessPostData, etc.) Even when
Sever.Transfer transfers a page to itself (i.e., Page A.aspx contains
Server.Transfer("A.apsx")) the request is seen as a first-time request, not
a Postback....
| | |
by: Matt MacDonald |
last post by:
Hi All,
I have a form that displays hierarchical categories in a treeview. Ok so
far so good. What I was to do is have users be able to select a node in the
treeview as part of filling out the form. I only want to allow single
selection, so using checkboxes is out of the question. It works as is, but
it makes the form very cumbersome if every time that a user selects a node,
the whole page has to reload. Is there a way to have a node...
|
by: Nathan Sokalski |
last post by:
I have a DataList in which the ItemTemplate contains two Button controls
that use EventBubbling. When I click either of them I receive the following
error:
Server Error in '/' Application.
--------------------------------------------------------------------------------
Invalid postback or callback argument. Event validation is enabled using
<pages enableEventValidation="true"/in configuration or <%@ Page
EnableEventValidation="true"...
|
by: Tony Girgenti |
last post by:
Hello.
I'm trying to undetrstand ASP.NET 2.0 and javascript.
When i have a button and i click on it and i see the web broswer progress
bar at the bottom do something, does that mean that there is postback
occurring? Does that mean a round trip to the server occurred?
I keep reading javascript articles and tutorials that say "improve the
client-side experience to be more responsive and quicker", but the articles
|
by: Peter |
last post by:
ASP.NET
I have an application which use ASP.NET Autocomplete extender which works
great. But I have a question how to update all the fields on the screen
using Ajax.
Users starts typing in a text field which causes the Autocomplete extender
to display 10 like items, after the users selects an item (which is a key in
the database) I want the application to go to the database retrieve a record
and populate the fields.
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
