What prevents a user from adding controls to an ASP.NET page client side?
Posted
by Curtis White
on Stack Overflow
See other posts from Stack Overflow
or by Curtis White
Published on 2010-04-23T20:25:16Z
Indexed on
2010/04/23
21:53 UTC
Read the original article
Hit count: 209
This goes back to my other question which I thought was sufficiently answers but upon reflect am not sure that it was (sorry).
Backgrounder:
I am generating a form dynamically. I am pulling from the database the controls.
I must associate each control with a database ID which is not the user's session id. I do this currently by storing my ID in the ID for the web control with some other stuff to make it unique/clear what I am doing.
On the post back, I iterate through all the controls on my web page checking for my special identifier, ie, MyGeneratedTextBox_ID_Unique. This process enables for 2 important steps, identifying the control was one I generated and also getting the ID for this input field.
And, all of this works but I'm still concerned about the security of it. I do not see a security issue with showing the actual database ID's in this case, although agree it is not desirable. However, I am concerned of the following possibilities:
If a user could add a nefarious control to my collection and use that for a SQL injection attack.
More academic, but if a user could somehow store data for fields they do not have access too by changing the id's.
I agree this is a "hack" of a way to do it. But my question is, is it a security risk and is there an 'easy' way to do it in a less hack way?
I assume that only the controls that are created/instantiated on the page are added to the controls list.. thus all controls must be created server side and thus the security issue is address but just wanted to validate. Thanks again.
PS: I could see adding a property for each control and encrypting the viewstate would be a little more secure.
© Stack Overflow or respective owner