By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,963 Members | 1,902 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,963 IT Pros & Developers. It's quick & easy.

Form Spoof/editing <option> tag values

P: n/a
Hi there,

Should I be concerned with a malicious user spoofing a postback by changing the values for a control like the dropdownlist found in the rendered <option> tags. I would hope asp.net would bomb on them if the value they posted was never a listitem in the control.

Here's another question/situation though, what if the listitems in the codebehind were just "visible=false", could a user potentially trick a dropdownbox into acting like an element has been selected, that really was never there?

Thanks,
--Michael
Nov 18 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
"Raterus" <ra*****@spam.org> wrote in message
news:uF**************@TK2MSFTNGP09.phx.gbl...
Hi there, Should I be concerned with a malicious user spoofing a postback by changing
the values for a control like the dropdownlist found in the rendered
<option> tags.
In general, yes.
I would hope asp.net would bomb on them if the value they
posted was never a listitem in the control.
It doesn't. There are several very good potential reasons for this,
including the little detail that the items collection might not yet be
populated at the time that the verification would execute.

You should add validation of your own if you want to avoid this problem.
When doing so, you should probably also consider that the list that was
generated for the client on initial page load is not necessarily the same
list that is available on the server by the time the page is submitted.
i.e.: Items could be added or removed from the source list in the time
between the loading and submission of the page by any given client.
Here's another question/situation though, what if the listitems in the
codebehind were just "visible=false", could a user potentially trick a
dropdownbox into acting like an element has been selected, that really was
never there?


It doesn't validate anyway, so visibility doesn't matter.

HTH,
Nicole
Nov 18 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.