Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can a client get to a button click event programmatically if the button is not rendered? [duplicate]

Tags:

c#

asp.net

webforms

viewstate

This is in ASP.NET web forms, I have a save button on a screen. When I load the page initially, under certain conditions, the save button is not rendered. 

button1.visible = false

In my button clicked event, I have this

public void button1_click(Object sender, EventArgs e)
{
    SaveData();
}

The only security preventing the user being from being saved is on whether the save button is rendered.

In MVC, it would be trivial to access the save button action method just by making a HTTP POST to the server with my own modified request.

In ASP.NET Web forms, I'm a little bit confused because it relies on the encrypted ViewState being posted back. Do I still need to add this security to the button1_click event too? If so, then can you tell me how a client can fire a postback to the server that would reach the button click event without the button being visible?

like image 770
Diskdrive Avatar asked Aug 04 '15 12:08

Diskdrive

2 Answers

That is one of the common mistakes about ViewState - it DOES NOT serve your click events and many other things.

Each click on button (or checkbox if autopostback is enabled) raises an form submitting to server. And all info about what was clicked is included in form postback data as plain text. Then server parses this data and, as your button has IPostBackDataHandler implemented, it raises appropriate events like "button id has been clicked". So, you can actually change request body:

D__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPD...&ctl00%24_pdContent%24txtEmail=qwe%40aeqw.ry&ctl00%24_pdContent%24btnRtnUser=Login&__EVENTVALIDATION=%2FwEWDAL424aUAQLjtYbqCAKu8qTUCQLXm%2BfNAwKk2O%2B4DgK3ypStCAL6q%2BaACgKBnvb9CQLr8ey6CALxoZvDCALFt96ABgLMorjMAwoW3zW69NNlOXygWNnB6luGVWnk

Above you can see content of input with id=ctl00__pdContent_txtEmail and clicked login button with id=ctl00__pdContent_btnRtnUser.

More explanation about server events in WebForms here.

And please read more about ViewState here or even better explanation here.

like image 55
LaoR Avatar answered Nov 15 '22 01:11

LaoR

https://stackoverflow.com/a/24064375/279911

According to this answer on another question, it looks like it is impossible to reach the button click event if the button is not rendered as long as you have the relevant security settings set.

Yes, setting a button's Visible property to false is enough to prevent its Click and Command events from being raised, as long as you don't turn off the default ASP.NET security features.

like image 21
Diskdrive Avatar answered Nov 15 '22 00:11

Diskdrive
Sign in to Comment

Related questions

c# - chromedriver - ignore-certificate-errors
GZipStream complains magic number in header is not correct
Can I re-generate random values in AutoFixture using a seed?
Quartz.Net Scheduler to Run as a Windows Services
Unity Editor - DrawDefaultInspector is not working
asp.net mvc azure AAD authentication infinite loop
ILogger.Log method declaringType parameter
Deserializing Json String into multiple Object types
How does OAuth with OWIN works in MVC5?
Ignore existing spaces in converting CamelCase to string with spaces
Find a NxM grid that contains all possible 3x3 bit patterns
How to generate saml 2.0 sso service metadata
How do I change a visual theme programatically in Windows 8/8.1 by P/Invoking?
Verify Access Token - Asp.Net Identity
What means the attribute return in c#?
WPF Datagrid row validation error not clearing after edit
Most effective way to lookup a substring C of string B in string A in LINQ
Excel function throws exception when set by code behind. Works when used in excel
invalidate aspx authentication cookie
How to make a button hidden in C# Xamarin IDE iOS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!