Hello,
Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.
For example, if you could have (pseudocode)...
void Page_Load(object o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}
Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.
Any comments?
--
Alan Silver
(anything added below this line is nothing to do with me)
5  1756 
Read this article, it will go a long way towards helping you understand some
of the pitfalls and workarounds. http://msdn.microsoft.com/library/de...tybarriers.asp
Best Regards
The Inimitable Mr Newbie º¿º
"Alan Silver" <al*********@nospam.thanx> wrote in message
news:OQ**************@nospamthankyou.spam... Hello,
Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.
For example, if you could have (pseudocode)...
void Page_Load(object o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}
Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.
Any comments?
--
Alan Silver
(anything added below this line is nothing to do with me)
>Read this article, it will go a long way towards helping you understand some of the pitfalls and workarounds.
http://msdn.microsoft.com/library/de.../en-us/dnaspp/
html/securitybarriers.asp
Thanks for the link. The article was useful, but still didn't address
the point I raised. If you had some way of checking that the postback
had come from the same server, you would avoid quite a number of the
attacks in the first place. Several of the ones mentioned involved
posting from another server. If you simply disallowed these, you would
cut out a number of possible attacks without any further work. Obviously
you would still have plenty to do protecting yourself from other kinds
of attack.
Which brings me back to my original question, is there a reliable way of
checking if the postback came from the same server?
Best Regards
The Inimitable Mr Newbie º¿º
"Alan Silver" <al*********@nospam.thanx> wrote in message
news:OQ**************@nospamthankyou.spam... Hello,
Reading articles on the various forms of attack that people try against
web sites, it seems that a lot of them involve people modifying a page
and posting it back to the server. Thus, if you had some way of checking
(on postback) if the postback had come from the server on which the page
is running, you would be a long way to avoiding these attacks.
For example, if you could have (pseudocode)...
void Page_Load(object o, event e) {
if (!FromMyServer) {
// display message "Don't try and hack my site!!" or similar
} else if (!PostBack) {
// initialise controls, etc
}
}
Offhand, the only way I can think of doing such a check is from the
HTTP_REFERER server variable, but as that is pretty easy to hack, it
doesn't really help.
Any comments?
--
Alan Silver
(anything added below this line is nothing to do with me)
--
Alan Silver
(anything added below this line is nothing to do with me)
> Which brings me back to my original question, is there a reliable way of checking if the postback came from the same server?
I assume you are aware of the eventvalidation feature of ASP.NET 2.0 ?
Event validation ensures the postback comes from the control that orginally
rendered it, meaning for example that if you have a datagrid with edit buttons
and those buttons are wired into calling "ItemEdit" it will validate the events
to make sure it came from the control that orginally rendered it.
This is not really 100% but it goes a long way to protect against the type
of attacks you are talking about.
PL.
>> Which brings me back to my original question, is there a reliable way of checking if the postback came from the same server?
I assume you are aware of the eventvalidation feature of ASP.NET 2.0 ?
You assume incorrectly!! I am ignorant ;-)
Event validation ensures the postback comes from the control that orginally
rendered it, meaning for example that if you have a datagrid with edit buttons
and those buttons are wired into calling "ItemEdit" it will validate the events
to make sure it came from the control that orginally rendered it.
If so, how do the attacks that rely on saving a page, modifying it and
posting back from another server work? Surely the eventvalidation would
catch this?
Or did I miss the point?
Actually, re-reading your words, it looks like the check is to ensure
that the event is called from the control that is supposed to call it.
If so, then it could easily be from another server, as long as the name
of the control in the saved page wasn't changed.
Or did I still miss the point?
This is not really 100% but it goes a long way to protect against the type
of attacks you are talking about.
I would be grateful if you could explain it a little more, as I'm not
very clear so far<g>
Also, is this something built in to ASP.NET, or do you have to do
something to enable it?
Thanks for the reply
--
Alan Silver
(anything added below this line is nothing to do with me)
> If so, how do the attacks that rely on saving a page, modifying it and posting back from another server work? Surely the eventvalidation would catch this?
If it's modified I think it will.
Actually, re-reading your words, it looks like the check is to ensure that the event is called from the control that is supposed
to call it. If so, then it could easily be from another server, as long as the name of the control in the saved page wasn't
changed.
I'm not 100% sure how it works but it puts a hidden field named
__EVENTVALIDATION in the form with a hash of the unique id's
from the controls rendered on the page.
This value is verified at postback, not sure what would happen if you save
the complete page and put it up on a separate server.
Also, is this something built in to ASP.NET, or do you have to do something to enable it?
It's new in ASP.NET 2.0 and turned on by default, to turn it off you use
<page enableEventValidation="False"> in the web.config or put
enableEventValidation="False" in the @Page tag for an individual page.
I'm having a hard time finding any good articles about this subject but
ASP.NET 2.0 is still just a few weeks old (RTM version).
PL. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Matt |
last post by:
I always see the term "postback" from ASP book, but I am not sure if I fully
understand the meaning. Here's my understanding so far, please correct me if
any mistakes.
Here's a typical html...
|
by: Xavier Osa |
last post by:
Hi,
I have an ASP.Net web page that you can download a file. As
Fergunson's problem, it prompts twice dialog boxes only if I select
Open button. If I select Save button, it prompts once.
I'm...
|
by: JezB |
last post by:
There are a few references on the net about how to restore a page's scroll
position over a postback. This is a simple one which works for me:
eg....
|
by: RAJ |
last post by:
In our multi-tier application, we have several ASP.NET user controls which
will update the same data source provided by middle tier logic.
In this particular scenario we have one user control...
|
by: kaburke |
last post by:
Is there a way to make a page at the receiving end of a Server.Transfer
think that the request is a Postback? (When I say "think it is a Postback,"
I mean I want the page to go through the ENTIRE...
|
by: Matt MacDonald |
last post by:
Hi All,
I have a form that displays hierarchical categories in a treeview. Ok so
far so good. What I was to do is have users be able to select a node in the
treeview as part of filling out the...
|
by: Nathan Sokalski |
last post by:
I have a DataList in which the ItemTemplate contains two Button controls
that use EventBubbling. When I click either of them I receive the following
error:
Server Error in '/' Application....
|
by: Tony Girgenti |
last post by:
Hello.
I'm trying to undetrstand ASP.NET 2.0 and javascript.
When i have a button and i click on it and i see the web broswer progress
bar at the bottom do something, does that mean that there...
|
by: Peter |
last post by:
ASP.NET
I have an application which use ASP.NET Autocomplete extender which works
great. But I have a question how to update all the fields on the screen
using Ajax.
Users starts typing in a...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
