I was recently discussing this with someone, and I wasn't sure if this is an issue or not.
We are creating an ASP.NET website and if the user performs an action on a page we might create a database query using the Text values on controls that we have previously populated.
Could a user do something malicious like modify the text of a label control in their browser, then hit the update button and when we pull that label's .Text we end up inserting that value into the database?
It's easily done via firebug, for example, yes. Make sure you sanitize/validate any input coming in to prevent SQL injection or any other malicious intent.
Have a read of this MSDN article for more help.
Related
Hello guys i was wondering if its safe using hidden gridview in asp.net.
For example on the log in page use something like this for logging in?
The sql command that fills this grid located inside the asp.net sql control and is connected to this gridview.
For x = 0 To workerGrid.Rows.Count - 1
If workerGrid.Rows.Item(x).Cells(6).Text = userBox.Text And
workerGrid.Rows.Item(x).Cells(7).Text = passwordInput.Text And
workerGrid.Rows.Item(x).Cells(10).Text = companyIdBox.Text And
workerGrid.Rows.Item(x).Cells(8).Text = "Active" Then
y = True
Exit For
End If
Next
First of all, you have chosen a completely wrong solution for user authentication. I recommend you change GridView with SqlDataSource to SqlDataReader if you are not using any ORM framework in your application.
Regarding your question, even if you hide GridView via Visible=false it still saves data in VIEWSTATE on page. The VIEWSTATE is a security risk if it is not encrypted (anyone could see or modify the values from it and POST them to your page). You should secure VIEWSTATE to avoid fake login. Click here for details.
You should check whether the content is generated into the html. If so, then it is extremely unsafe, professional programmers will be able to steal everything. Also, why don't you simply use a database? Also, why don't you obfuscate your password?
Finally, you should separate your backend logic from UI. User login should never have anything to do with UI controls.
Good day.
I was using knockout in an asp.net web form master page. On master page i have an advanced search control completely with knockout. After selecting the search criteria by readio buttons, tabs and dropdowns, on clicking a search button redirect to a details page which is also inherited from the same master page.
I need to persists the selected view from the first page in the details page along with populating the search result.
But I'm unable to do it as an infant in knockout.
I guess if I can remove the binding and apply it again, it will be happen.(don't know I'm wrong or not).
Kindly advice me to get over this situation.
Thanks
Santhi
It sounds like you're doing a complete trip to the server between pages. In that case you'll need to store the state of your search box somehow before the redirect, and then load that state after the redirect. You have a couple ways to do this.
Using Cookies
You could serialize the state of your select control into a JSON string and store it in a cookie. When your search box loads, look for that cookie using JavaScript and if it exists, load the data into your search box.
Using the Query String
You could serialize the state of your select control into the query string, and load from that. This would be a little bit more reliable in case cookies are turned off on the user's browser.
Using Local Storage
If you're working in modern browsers and supporting HTML 5, you could use HTML 5 local storage to store the search state between postbacks. http://diveintohtml5.info/storage.html
Serializing your Model State
Take a look at this page of the Knockout JS documentation for more info on serializing your object graph. http://knockoutjs.com/documentation/json-data.html
I hope this helps!
I got a simple Site with a textbox where the user can enter some stuff. That Text is analysed and fancy stuff is done with it (like counting the words, displaying the text in another textbox)
No Database-Connection exists. No data is saved permanently
Do I still have to worry about code injection?
Can something harmful be done?
I agree with #nmat and want to add here that If you want to do check against the security, the only thing you need to consider is cross site scripting due to weird inputs in textbox. You can use Anti-cross site scripting library for validation. Same site is also having details regarding what I just said.
Depending on how you implement the application behaviour, plenty of things could go wrong. You don't have to worry about SQL injection because you don't have a database, but you may have problems if you aren't careful with the submitted data.
Add ASP validators to the TextBox to ensure that the user only submits data that you expect to receive. Ex: add a maximum length, a regex or other custom validation. ASP validators work both on the client side and on the server side so this should be enough protection in this case.
I need to do some checking on a validation control but I am not sure what type of text ASP.NET will think is a security issue. Can someone give me some things to try? I tried various HTML tags and it seemed to accept them fine. This is a multiline rich textbox used for saving a field of text to the database. The code for saving is inside of an If Me.IsValid with no ELSE specified, but after the save function is called it proceeds to display a 'saved' message and redirect the page. Some users have been losing work so I think the problem is that Me.IsValid is false so the save function is called but does nothing... Anyways what can I try to invalidate this with? Note I did not write the code for this I am just troubleshooting it.
It sounds like you are confusing Validator controls with ValidateRequest, an internal mechanism of ASP.Net for sanitizing requests.
Validator validation is entirely dependant on your validators. Are you using a RequiredFieldValidator? Then the invalid inputs are simply blank textboxes. Is it a RegularExpressionValidator? Then you need to enter something that doesn't match the regular expression. CustomValidator? Then you need to check the validation logic.
It sounds to me more like you're worried about the input being sanitized for running database queries with. The first thing to check is that in your Page directive, "ValidateRequest" isn't being set to "false". If it is, that would explain why HTML is being allowed through.
You should also check out the following:
How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings
Validating User Input in ASP.NET Web Pages
Then, if you'd like to try a database injection attack, just google for a basic SQL Injection tutorial.
javascript:alert('rrrrrooooaaaarrrrr');
Is a good start.
Try some ASCII Codes for non breaking spaces, carriage return, etc.
Since you're saving to a database, try some sql injection as well.
I have a custom made ASP control which is based on a select (drop down menu). If I disable my control by adding the word "disabled" in its html, I start getting null pointer errors when processing the form data.
I figure, either the browser doesn't post back disabled form items or ASP.NET ignores them when processing the form data. I'm not sure which one it is. I'm trying to understand where I'm loosing data.
Thanks for your help.
PS. I realize that there are better way to create and disable controls than manually editing html but there's a context here that doesn't allow me to do otherwise.
Yes setting control's Enable = false is prevents control's value to be added posted data collection.
you can use readonly attribute instead.
here in MSDN it says :
The Text value of a TextBox control
with the ReadOnly property set to true
is sent to the server when a postback
occurs, but the server does no
processing for a read-only text box.
This prevents a malicious user from
changing a Text value that is
read-only. The value of the Text
property is preserved in the view
state between postbacks unless
modified by server-side code.
Also here is the Microsoft's reply to a bug report related to topic.
but if you use in classical way like that it will work :
txt2.Attributes.Add("readonly", "readonly");
It will prevent the control from posting back but remember this web paradigm is a client/server technology. A person could modify the client data (HTML and / or Javascript) and force a postback no matter what you send him.
Therefore don't rely on this for security sensitive operations such as money manipulation and so on.
Always do a check on the server-side too for sensitive operations.