Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can one cause Page.IsPostBack to be true independently of ASP.net?

If one is checking a user's roles to determine whether they may access a page, is it safe to put this check only inside an if (!Page.IsPostBack) { ... }? Could it be possible for the client to cause Page.IsPostBack == true independently of ASP.net; that is, the client POST's to the page and sets the right form fields? If that were possible, then I suppose best practice would be to check security on every page load, not just when Page.IsPostBack == false.

like image 595
Jez Avatar asked May 31 '11 15:05

Jez


People also ask

When should I use page IsPostBack?

PostBack is done if certain credentials of the page are to be checked against some sources (such as verification of username and password using database). This is something that a client machine is not able to accomplish and thus these details have to be 'posted back' to the server.

Is postback true?

AutoPostBack = true permits control to post back to the server. It is associated with an Event.

What is the use of IsPostBack in ASP.NET with example?

IsPostBack is used to check if the page is responding to a post back event, like clicking a button. So, lets say you have some textboxes for users to change some data and then click a button to submit the data.

How do we identify that the page is postback?

Page. IsPostBack property is use to check wheather page is post back.It return bool value.


2 Answers

Easily. And it doesn't even have to be via an HTTP post.

IsPostBack checks for the ViewState and Event* hidden fields. If you supply those fields on the query string then IsPostBack will actually return true, so, for example, a client page which tries to load an image using that jerry-rigged query string will cause the code behind to believe it's a post back.

like image 70
blowdart Avatar answered Oct 06 '22 00:10

blowdart


As a concrete example, suppose your page has a button that only administrators are supposed to be able to see and click:

<asp:Button runat="server" ID="resetButton" Text="Reset" OnClick="resetButton_Click" />

Inside an if (!IsPostBack) block in the code-behind, you hide the button if the user isn't an admin:

protected override void OnInit(EventArgs e)
{
    if (!IsPostBack)
        resetButton.Visible = IsAdmin();
}

private bool IsAdmin()
{
    ...
}

Question: Can a non-administrator cause the code in resetButton_Click to execute?

Answer: YES, even if view state and event validation are enabled.

Someone can simply browse to your page with ?__VIEWSTATE= or ?__EVENTTARGET= appended to the URL (causing IsPostBack to return true) and then click the button.

Conclusion: Turning off sensitive functionality in if (!IsPostBack) is NOT safe.

To fix the problem, remove the IsPostBack check or add Visible="False" to the button markup (secure by default).

like image 23
Michael Liu Avatar answered Oct 05 '22 22:10

Michael Liu