This is not a cross-site attack because it happens on the same website.
Before we render to the browser, we figure out in server-side whether to render a button or not based on whether the user has sufficient credit in their account (example case). So, if they have insufficient credit, the check out button doesn't even make it to the page on page load.
Here's what they did:
Go to a purchase product page when they have sufficient credit. The check out button shows.
They look at Inspector (FireFox) or any other in-browser developer tool and copy the html input element that submits the form.
They purchase as normal. Now, they have insufficient credit.
They go to another purchase product page, and of course, the check out button will no longer show (because it didn't even make it on page load in the first place).
They open up their in-browser developer tool and paste the input element copied from the other previous page when they had sufficient credit. The button shows up on the rendered page. They click it, then they proceed as if they had sufficient credit.
The problem is, the submit button's event handler in code behind is unaware of the existence or non-existence of that submit button, and will execute if called, and that we give it a hard-coded id.
The obvious solution would be to do a credit vs. price check [again] on the click event handler. From inside the event handler, is there a way to determine whether the control existed on page load? I figure that the sender parameter would not be null if they pasted a control in-browser, so there's not much help there.
Any solutions on this?
The only safe solution to this is to check if the user has sufficient credits ON THE SERVER after the postback occurs.
protected void OnSubmit(object sender, eventargs e)
{
if (product.Price > User.Credits) {
throw new Exception();
}
purchase();
}
If you use the check the button approach then they can still use the JavaScript console to call __doPostBack
Never rely on the client side for authorization
You could store in ViewState whether the button was rendered or not; this is encrypted and cannot be changed on the client. If you set it as ViewState["ButtonRendered"] = true;, then you can check this to see if it's true or false, and act accordingly.
Because of the nature of the user opening up multiple browsers, and other tricks, I would 100% recommend you do another database query to make sure they have sufficient credit, and if not, display an error to the user. That would be the absolute best way of handling it. What would keep them from opening up firefox and chrome, and trying to attempt to simultaneously purchase two different items?
Related
I have an asp:Button that fires a code behind function on the OnClick event. In that OnClick event several things happen, and among those things I do a check in the database for if I need to ask the user a yes or no question. For that I need a message box. First I did it like this:
protected void MyButton_Onclick(object sender, EventArgs e)
{
// lots of stuff happening
bool iNeedToAskTheUser = INeedToAskTheUser(stuff);
if (iNeedToAskTheUser)
{
DialogResult result = MessageBox.Show("Do you want to fix all objects?", "Fix objects", MessageBoxButtons.YesNo);
if (result == DialogResult.Yes) // do stuff
}
// some other stuff
}
This works fine locally but not when deployed, so I figure I would need to use ScriptManager.RegisterStartupScript instead. I could just add javascript on the ASPX page that fires up a dialog and saves the response in a hidden control that I can then look at, but I don't want to fire up the dialog unless I have to, which I check for before I do the DialogResult in the code above. So I can't do that immediately when the user clicks the button.
Is there any way I can use ScriptManager.RegisterStartupScript in "the middle" of my _OnClick code so that I can choose whether or not to actually show the button, and then also know if the user clicked yes or no, (preferably) without doing a postback?
I've been thinking and testing two different solutions:
Use ScriptManager.RegisterStartupScript in code behind to fire a JavaScript confirm function on the ASPX page. The JavaScript function would set a value in a hidden control depending on if the user answered yes or no and then my code behind stuff would check the value of that hidden field and act upon that. The problem with that is that once ScriptManager.RegisterStartupScript fires it doesn't wait for the JavaScript function to "finish", ie wait for the user to reply to the confirm(). So the value in the hidden control will always be empty because the code behind gets to the check of that control before the user has a chance to respond to the confirm(). So that's a no go.
Use ScriptManager.RegisterStartupScript in code behind to open up a new ASPX page that asks the user the question and then does all the work in response to the user's answer in that page. The problem then is to pass the object that the new ASPX page needs to do work on in response to the user's response.
I'm sure there are great solutions using Ajax or jQuery but this is a fairly simple function that shouldn't take too long to develop, so that is kind of out of scope for this.
Instead I'll go with a solution where I know what the user will respond to the question before they click the button. (While silently muttering under my breath: "It's 2019 and there's no good way to fire up a yes/no dialog from code behind in a .Net web project...". I need to get back to not working with web).
I'm having trouble with a simple ASP.NET application and the back button after a post back.
The page in question has a simple form on it, some text fields etc, and a dropdown that does a postback (autopostback).
The "normal" flow is the user fills out the form and perhaps changes the dropdown. Based on the dropdown value the page content might change.
The problem I'm having is that after the user has changed the dropdown and the postback has completed then the user clicks the back button. They see a "webpage has expired" message from IE.
I've set the following:
Response.Cache.SetExpires(DateTime.Now.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.Private);
But that doesn't seem to have nailed the problem.
The actual Cache-Control response header reads as: private, no-cache:"Set-Cookie"
In a classic ASP application the with a Cache-Control response header of just "private" the back button behaves as expected after a "post back".
Is there anyway to force ASP.NET to set the cache-control explicitly to exactly "private"? Or any other solution that results in the back button and postbacks working well together?
Thanks!
Depending on a situation you might get away with this hack/workaround:
private void Page_PreRender(object sender, System.EventArgs e)
{
if (IsPostBack && !IsCallback)
{
Response.Write("<html><head><script>location.replace('" + Request.Path + "');\n" + "</script></head><body></body></html>\n");
Response.End();
}
}
What you're dealing with is actually an old problem. In essence, the reason that you're seeing the "web page has expired" message is that one of the techniques for disabling the "back" button has been employed. The technique sets the cache to a date in the past, therefore causing the browser to show this error if the user clicks the "back" button.
That would be this line of code:
Response.Cache.SetExpires(DateTime.Now.AddMinutes(-1));
This has been an issue, particularly with WebForms ASP.NET because of how the postback works, compared to other frameworks.
For a thorough explanation of all the issues involved, I strongly recommend reading the article linked to below. It does not answer your question directly, but I think you will get more information out of it than a simple answer and will help you think through your options, armed with a better understanding of the issue at hand. Be sure to read parts 1 AND 2.
https://web.archive.org/web/20210927201700/http://www.4guysfromrolla.com/webtech/111500-1.shtml
I do have an idea on how to make the "back" button behave like a "back" button again, so that postbacks aren't treated as a page navigation:
Personally, I've adopted a (arguably hackish/sloppy) approach of just putting things in an UpdatePanel when I don't want the postbacl/back button conflict, since I use Ajax in most of my apps anyway. This forces the "back" button to actually go back to the previous page, rather than staing on the same page, but reverting to the control values as they were before the postback.
i need to implement a back button for my asp.net website.I am able to use the javascript method to acheive my requirement.But using this method sometimes I need to click on the back button multiple number times to go back to the previous page.It may be because we are using jquery tabs in our website.To focus on a particular tab,other than the 1st tab on page load I am using Page.ClientScript.RegisterStartupScript(....).So I am unable to take the user back to the previous page with just one click.
I also tried with asp.net-C# methods mentioned in the following link.
http://www.dotnetcurry.com/ShowArticle.aspx?ID=89
I am able to go back to the previous page, but its state is being lost.Could someone please help me in acheiveing my requirement?
Details:
I have page1.aspx,page2.aspx(which contains jquery tabs view/edit).
In the page1.aspx there are 2 buttons(View,Edit).If I click on view button it takes me to page2.aspx View tab(1st tab) and if I click on the edit button it has to take me to page2.aspx with Edit tab loaded.both View/Edit tabs contain back button.
Also from the View tab I can navigate to the Edit tab,by clicking on another Edit button present in it.
Thanks.
The methods you have covered in your question are essentially what is available to you.
You can either
1. Provide a link that uses javascript to make the client go back a page.
2. Provide a link that posts back to the server that redirects you back a page.
I am not sure why the jquery in your webform as described in your question is causing you to click more that once to go back. If you know that it will always take 2 clicks to go back you could try this method:
javascript: window.history.go(-2)
When you are using the postback/redirect method you will always be using a http GET method to retrieve the page you are returning too. If you want to maintain state you will have to do this manually i.e. save the values when leaving the page somewhere, like session or a temporary database, and when returning to the page, during the page load, check to see if the user has these values saved and pre-populate them.
I've done something similar (with automatic redirections though) and I had to keep track of the number of pages to go back in my ViewState (or Session if you're jumping from page to page):
code-behind
public void Page_Load()
{
Session["pagesToGoBack"] = ((int)Session["pagesToGoBack"])++;
}
mark-up:
<input type="button" value="Back" onclick='javascript:history.go(<%= Session["pagesToGoBack"] %>);' />
Be careful to reset the session variable when needed
Made me feel a bit dirty but it worked :)
There are a few similar questions posted here but none that really addresses my needs.
I have a list of items on one page, lets call it masterlist.aspx. If I click on one these list items another page appears, i.e. details.aspx?id=something.
The page that appears has a formview control in edit mode. If the user wants to edit the data they hit an edit linkbutton and, the form is sent into edit mode, they then edit the data and click the save button, saving the data and putting the formview back in view mode.
The issue is if the user uses the browser back button to go back to the masterlist.aspx page the page is not updated, it's pulled out of the browser cache.
I have played around with the HTTP headers cache settings but can't get anything that works on all major browsers. On some browsers I get web page expired warnings. Another option is to somehow trigger a page refresh (or partial page refresh) when the page loads using client side code, but I haven't been able to figure out how to do this.
Is there any other approach or has anyone been successful with the two approaches above, or is there some way of avoiding the issue completely.
I have to do something like this in a catalog where the browse page needs to be loaded from the DB on every load because when you hit a product page it calls out to a 3rd party to get updated info, and then save it if it should be updated. This is so when you hit the back button like you're saying the data is reloaded. What I've done is added this into the page and it seems to work fine in all browsers.
public class ProductBrowser : Page
{
protected override void OnInit(EventArgs e)
{
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Response.Cache.SetExpires(DateTime.MinValue);
base.OnInit(e);
}
}
What about capturing the Back button keypress event, then instead of allowing it do a browser.history.back(), you can do a document.location(...) call.
Alternatively, you could capture the back event and trigger a post-back, which could do a Response.Redirect("yourpage"). This would force the browser to issue a GET statement for the designated page, and make it refresh
With Javascript a complete solution may not be possible, but there is a workaround.
http://www.boutell.com/newfaq/creating/backbutton.html
It uses a timeout function that repeatedly forces the browser to perform a 'Forward' action. Even if someone clicks the Back button, it'll bring back to the actual page, thereby nullifying the Back operation. It may cause a flicker though.
I have played around with the HTTP headers cache settings but can't get anything that works on all major browsers. On some browsers I get web page expired warnings.
How do you get to that masterlist page? If you issue an HTTP GET and prevent clients and proxies to cache it you'd have no issues navigating back to it (and still getting an updated version).
That leaves you with server side caching (with proper invalidation when any of those items change) or no caching at all.
I have an have an ASP.Net page which contains a button. This Page contains a ServerSide Paypal button.
When pushed my server does various clever things on the back end and then rewrites the response as a form and some javascript which posts this form to paypal..
This all works great.
However, if the user then elects to click back, they will arrive at my generated self-posting form and that will forward them again to Paypal.
I thought if I could find a way to have my generated form page not exist in the history, then this will solve my problem. but I have no idea how to correct this.
How can I remove my page from the history or just have it never appear?
Update: Thanks to all... Those are some great answers. Upvoted all good ones but went with splattne on account of clever use of hidden field rather than cookies for basis of decision.
window.location.replace(URL);
window.location:
replace(url)
Replace the current document with the
one at the provided URL. The
difference from the assign() method is
that after using replace() the current
page will not be saved in session
history, meaning the user won't be
able to use the Back button to
navigate to it.
I'm not sure if that can be done. But here is an idea how you could prevent that resubmit of the form.
You could insert a hidden input in your form which at the beginning would be empty. On submit you'll write a value in that field and make sure you check on every submit attempt if this field is empty.
If it is not empty on submit you know that the form was previously sent and you could warn the user.
As a web application, you'll never have full control of the user's browser. Even if there was a way to instruct the browser to not store the page in history, which I doubt, you can't be sure it'll work. For example, a clever user could tweak an open-source browser to store every page in history, no matter what.
I think you should try to approach the problem from another angle. You could, for example, detect that it's the same form which is being forwarded and not send it to paypal the second time. The important thing is to do it server-side.
Perhaps you could set a cookie before submitting the form.
When the page is loaded, check for the existence of that cookie (meaning the form was already submitted). If found, instead of automatically submitting the form, automatically go back (window.history.back()) again.
I'm not sure if you can do this easily with PayPal integration, but the
"Post / Redirect / Get" pattern can be used to address this problem
A useful Hint for some might be this...
window.history.go(-2);
particularly in the advent of a load failure warning popup.
You could simply programme your page not to submit, or to do something / navigate somewhere else, if window.referer is the Paypal page you are trying to avoid invoking a second time.
protected void Page_Load(object sender, EventArgs e)
{
Page.RegisterClientScriptBlock("", "<script>if(history.length>0)history.go(+1);</script>");
}