How to check if gridview has been tampered - asp.net

I am running some scan testing on an asp.net website. The scanner is changing some of the data on the gridview such as follows:
Parameter GridCustom$ctl10$CHK_SelRcd manipulated from: on to: d4R4rs
As you can see a checkbox inside the grid GridCustom called "CHK_SelRcd" was modified and the grid did not detect this. Is there some type of command similar to:
GridCustom.IsValid()
That I can check if the controls have been tampered with (Or have invalid values such as above checkbox)
Thank You

I make a very small example using a DropDownList - and a post back.
<asp:DropDownList runat="server" ID="ddlTest">
<asp:ListItem Value="1" Text="1"></asp:ListItem>
<asp:ListItem Value="2" Text="2"></asp:ListItem>
<asp:ListItem Value="3" Text="3"></asp:ListItem>
</asp:DropDownList>
I change the Value of one using the inspect tools of the browser and here is the message I got.
Invalid postback or callback argument. Event validation is enabled
using in configuration or <%#
Page EnableEventValidation="true" %> in a page. For security
purposes, this feature verifies that arguments to postback or callback
events originate from the server control that originally rendered
them. If the data is valid and expected, use the
ClientScriptManager.RegisterForEventValidation method in order to
register the postback or callback data for validation.
Now there are parameters that even you can change it are not affect the results on code behind
for example
If you change the id, the post back send the name - so no affect there.
If you change the name again the post back is not affected because this is go to a parameter that not exists
If you replace two names each other its again finds it and throw an error.

Related

DropDownList / RadioButtonList - I don't need to validate selected value?

I have used ASP.NET MVC and there when I have for example dropdown list - I must check if selected value is correct because user can change value on dropdown list using for example Firebug.
I am new in ASP.NET Web Forms. I have for example:
<asp:DropDownList ID="DropDownList1" runat="server">
<asp:ListItem Value="1">One</asp:ListItem>
<asp:ListItem Value="2">Two</asp:ListItem>
</asp:DropDownList>
<asp:RadioButtonList ID="RadioButtonList1" runat="server">
<asp:ListItem Value="1" Selected="True">One</asp:ListItem>
<asp:ListItem Value="2">Two</asp:ListItem>
</asp:RadioButtonList>
I have changed in Firebug selected value in DropDownList1 on 3 and in RadioButtonList1 on 3 and submit form. Then I have error:
Invalid postback or callback argument. Event validation is enabled using in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for va...
Does it mean that I don't need to validate selected value because user can't change it?
Generally speaking, yes, EnableEventValidation works with that purpose in mind, you can read more here: http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation(v=vs.110).aspx
In particular:
When the EnableEventValidation property is set to true, ASP.NET validates that a control event originated from the user interface that was rendered by that control. A control registers its events during rendering and then validates the events during postback or callback handling. For example, if a list control includes options numbered 1, 2, or 3 when the page is rendered, and if a postback request is received specifying option number 4, ASP.NET raises an exception. All event-driven controls in ASP.NET use this feature by default.
So as a matter of fact you can be safe knowing that people cannot tweak your client HTML with the console and post back malicious data.
This said, you may want to put some guard in the server code just in case for some pages you need to disable event validation (it may happen if you want to submit strings that look like code or if you want to modify elements on the page with jQuery for example).

Radcombobox OnItemRequested firing page validation

I have some really weird stuff going on here.
I have the following RadComboBox and button in the master page:
<telerik:RadComboBox ID="rcbPesquisa" runat="server" CausesValidation="false" ShowToggleImage="false" LoadingMessage="Carregando..." HighlightTemplatedItems="true" OnClientKeyPressing="onKeyPressing" EmptyMessage="Buscar" EnableLoadOnDemand="True" EnableVirtualScrolling="true" OnItemsRequested="rcbPesquisa_ItemsRequested" AllowCustomText="True" AutoPostBack="true" OnSelectedIndexChanged="rcbPesquisa_SelectedIndexChanged" Width="350">
<asp:Button runat="server" ID="btnExcluir" Text="Excluir" OnClick="btnExcluir_Click" CausesValidation="true" ValidationGroup="Excluir" CssClass="btn" OnClientClick="return confirm('Deseja realmente excluir o registro?');" />
In the page, I have this validator:
<asp:CustomValidator ID="cuvExclusaoRelacionamento" runat="server" ValidationGroup="Excluir" OnServerValidate="cuvExclusaoRelacionamento_ServerValidate"></asp:CustomValidator>
What happens is: When i click the combobox, and it tries to load it's items, cuvExclusaoRelacionamento validator is called on the server, and of course things go south.
By the way... __EventTarget on cuvExclusaoRelacionamento_ServerValidate is empty
Unfortunately, and without seeing the full code I'm only guessing, I believe there is no way of getting around this due to the following settings:
ValidationGroup="Excluir" The ValidationGroup property assigned to an input control is the Validation Group which should be triggered when the control posts back; The ValidationGroup property of a validator control is the name of the group to which it is assigned; Finally the ValidationGroup property of a submitting control (which could be a button but can also be the input control) is the name of the group of Validators to validate the page against before posting back to the server. I should point out at this timethat it will not post back (server-side event handlers will not be triggered) if the validation fails. Given that the validation group of the control is the same as the validation group of your Custom Validator the validator will be triggered when the control attempts to post back to the server (e.g. when being clicked), if this validation fails it will not post back.
AutoPostBack="true" When you set the control to auto post back it will post back to the server when updated. Given you have an OnClick event I'm guessing you need to perform some server side action when the state of the control is changed.
CausesValidation="true" When set to true all validators assigned to the same "Validation Group" as the submitting control will be triggered when the control attempts to post back to the server. As I've said above, this will prevent post back (meaning the server-side Event Handlers will not be triggered) if the validation fails.
Given the information provided, I'm guessing that the best action you could take is to set CausesValidation="false" for the control. The validation can still be performed so long as you have a submit button (or other control which triggers a post back) elsewhere which is assigned to the "Excluir" Validation Group.

DevExpress Asp.net Control validation kicks in unexpectedly

I am using latest DevEx Asp.net controls. In one of my pages, I have a form with AspxLabels and AspxTextBoxes. In certain textboxes I have a required field validation. I also have 2 check boxes on the page when clicked they populate certain textboxes with data from server.
Here is when the problem occurs.
When any of the check boxes are clicked, I make all textboxes that would be populated from server set to empty string. Then I set the data.
If one of the required fields already has some data, then setting it to empty string when checkbox is checked causes client side validation to kick in and server call to get the data is not done.
Does anyone have any idea how to approach and solve this problem?
Based on your description (aspx would make it more clear) you should set ValidationSettings.ValidateOnLeave to false and validate editor manually.
Here is sample from devex code central article:
<input type="button" value="Validate" onclick="tbTextBox2.Validate();" />
<dx:ASPxTextBox ID="tbTextBox2" runat="server" ClientInstanceName="tbTextBox2">
<ValidationSettings ValidateOnLeave="False">
<RequiredField IsRequired="True" ErrorText="Field is required." />
</ValidationSettings>
</dx:ASPxTextBox>
For various ways of validating form editor(s) on client side read How to raise validation on the client side.

how to check a particular asp.net validation control is valid?

In a web form there are different asp.net validation controls. Is it possible to check a particular validation control is valid ? For example on leaving focus of textbox, first I will check requiredFieldValidatorUserName is valid ? If it is valid then I will check on server using ajax that this user name is not booked already.
Edit:
Explaination: I want to check validity (that input was valid) of a validation control on client side.
Please guide.
All validator controls implement IValidator which contains the IsValid property.
myValidatorControl.IsValid
The best way would be to use a CustomValidator with client side code, as this will display all the error messages, block form submission and also ensure that the validation is repeated at the server side - remember, just because you have client-side validation available, doesn't mean the user's seen it: Always validate your input at the server as well.
Your CustomValidator would then be coded to call the Ajax methods, and would show the error messages correctly to the client:
<asp:Label ID="UserNameLabel" AssociatedControlID="UserName" runat="server">
UserName *:</asp:Label>
<asp:TextBox ID="UserName" runat="server" />
<asp:RequiredFieldValidator ID="UserNameRequired" runat="server"
ControlToValidate="UserName" EnableClientScript="true"
ErrorMessage="You must supply a username!" />
<asp:CustomValidator ID="UserNameCustom" runat="server"
ControlToValidate="UserName"
ClientValidationFunction="CheckExisting"
OnServerValidate="UserNameCustomValidate"
ErrorMessage="Username already taken" />
And your ClientValidationFunction should look something like:
<script type="text/javascript">
function CheckExisting(source, arguments) {
// Pass the arguments.Value to your AJAX call:
if (ajaxCallUserNameTaken(arguments.Value)) {
arguments.IsValid = false;
}
}
</script>
(Obviously, you'll need to write the ajaxCallUserNameTaken method to call your page method/web service/etc.)
Doing it this way will ensure that the validation methods happen as expected; this will get called whenever the user tabs out of the textbox leaving a value (it won't get called if the textbox is empty), and will ensure that the user can't submit the page until they supply a unique value. You'll also want to create the method referenced in OnServerValidate to ensure that the value's good once it hits the server too - this should call the same code that the AJAX endpoint uses to reduce duplication of code, etc.
I was originally going to suggest that you could use the Page_Validators object on the client-side to do some checking in the onBlur event, but I don't really think this is suitable here as it results in more pain:
It assumes that although there might be more than one validator on the page, there's only the RequiredFieldValidator on the control we're checking
The RequiredFieldValidator isn't fired during OnBlur if a user moves out of a control without setting a value - only if they set and clear the value, so even if isvalid is true, you need to check for an empty string!
You could do this by setting the ValidationGroup for the Validator control that you want to treat as separate from the others. Make sure it matches the ValidationGroup of the control it's validating (your username field).
I have just faced the same issue and I Set CausesValidation="true" to the textbox control and it worked. Just give it a try :)
I have been messing around with this around for a bit and found a rather easy (not so efficient) solution to handle this using jQuery.
Use this function to check the validity of your control:
function validateControl() {
return $('#YOUR_VALIDATOR_ID').css("visibility") == "visible"
if you're using Display="Dynamic" on your validator then the function is like so:
function validateControl() {
return return $('#YOUR_VALIDATOR_ID').css("display") == "inline"
Be sure to check the true ID of your validator if you're using a Masterpage, as it will be different than the one in your IDE. Do so by viewing the page source in your browser.
The best solution will be of course to validate your form in some other way, using JavaScript or a CustomValidator that lets you write your own code.

UpdatePanel update without trigger button

I have an UpdatePanel with ContentTemplate specified. When page loads, user can do some AJAX work in other part of the page. Then, after that work is finished, I would like to update only content inside UpdatePanel, but without pressing any buttons etc. I should be done automatically using JavaScript when previously started AJAX work finishes. How to do it without manual clicking on the trigger button?
EDIT:
Ok, I've followed that _doPostBack rule, and whole page is posted.
<asp:UpdatePanel ID="panelAttachments" runat="server">
<ContentTemplate>
........
</ContentTemplate>
</asp:UpdatePanel>
<input type="text" name="test" onchange="__doPostBack('<%=panelAttachments.UniqueID %>',''); return false;" />
</td>
Thanks, Pawel
To refresh an update panel from javascript:
__doPostBack(updatePanelUniqueID,'');
The first parameter is the UniqueID (not CientID) of the UpdatePanel.The 2nd parameter is optional arguments you can pass which will be available to your server code. Both are stored in hidden form fields by ASP.NET, you can access them in codebehind:
Request.Form["__EVENTTARGET"];
Request.Form["__EVENTARGUMENT"];
But if you just want to refresh a panel and don't need to pass any additional info from the client, you can ignore then 2nd argument.
If you look at the HTML generated by ASP.NET for an async postback control, you'll see it's exactly this.

Resources