tags:

views:

75

answers:

4
Q: 

What prevents a user from adding controls to an ASP.NET page client side?

This goes back to my other question which I thought was sufficiently answers but upon reflect am not sure that it was (sorry).

Backgrounder:

  1. I am generating a form dynamically. I am pulling from the database the controls.

  2. I must associate each control with a database ID which is not the user's session id. I do this currently by storing my ID in the ID for the web control with some other stuff to make it unique/clear what I am doing.

  3. On the post back, I iterate through all the controls on my web page checking for my special identifier, ie, MyGeneratedTextBox_ID_Unique. This process enables for 2 important steps, identifying the control was one I generated and also getting the ID for this input field.

And, all of this works but I'm still concerned about the security of it. I do not see a security issue with showing the actual database ID's in this case, although agree it is not desirable. However, I am concerned of the following possibilities:

  1. If a user could add a nefarious control to my collection and use that for a SQL injection attack.

  2. More academic, but if a user could somehow store data for fields they do not have access too by changing the id's.

I agree this is a "hack" of a way to do it. But my question is, is it a security risk and is there an 'easy' way to do it in a less hack way?

I assume that only the controls that are created/instantiated on the page are added to the controls list.. thus all controls must be created server side and thus the security issue is address but just wanted to validate. Thanks again.

PS: I could see adding a property for each control and encrypting the viewstate would be a little more secure.

+1  A: 

In the original guidelines for ASP.NET 2.0 security they specifically state that you should perform input validation on every input being posted back from the browser. There is really nothing that prevents someone from posting back different data to your server side code. There is some minimal request validation built into ASP.NET, but they specifically state not to rely on that.

You should always validate each individual input that is being posted back from your controls for data integrity. All inputs should be sanitized for SQL injection attacks by removing unnecessary special characters and patterns that might indicate an attack vector. If all you are relying on is an identifier from the control to say that the data is good then you have a huge hole in your validation logic.

You should perform server side validation on each input that validates the format of the input is good as well as that it has no problematic data contained in it.

http://msdn.microsoft.com/en-us/library/ms998258.aspx

Harv  2010-04-23 20:43:08
@Harv. Sorry, I think you are misunderstanding my question. My question can someone create an new control/id or change the id of a control that is posted back? Or can I rely on those control id's to always be what I set them and rely on only my controls being posted back.
Curtis White  2010-04-23 20:53:32
hary is saying that anyone can post a completely different id back to you than what you set them to.
nos  2010-04-23 21:22:06
I think I answered your question already. You can't rely on anything that comes back from the client as being what you expect. The client is completely out of your control. If you leave open options where different controls could be posted back to your server than you expect that could induce behavior that you don't want then someone could implement that behavior from the client side.
Harv  2010-04-23 21:22:17
@Harv Yes but I do not think this is possible or the security hole would be even more serious. In other words, I've tried to create client side controls and they are not showing up.Remember I am referring to the control ID and not to any form data that is posted back. I can't find anything that addresses this -- probably because the only way server side controls get created is on the server.
Curtis White  2010-04-23 21:42:45
A: 

I am going to try to answer my question because I think this is the only way it could be:

The only way server side controls get created is on the server thus you can trust that they will have the id that you set them too. This is one reason the controls must be created on every page instantiation. You may not trust any form submitted data but controls and there IDs are generate server side and thus safe. Likewise, it is not possible to edit the HTML to ever generate a server side control.

Thus my method is relatively secure even if it is not elegant. The only security flaw is the id revealed.

Curtis White  2010-04-23 21:47:27
+1  A: 

I assume that only the controls that are created/instantiated on the page are added to the controls list.. thus all controls must be created server side and thus the security issue is address but just wanted to validate. Thanks again.

The controls you create "live" on the server with runat="server". You don't need to check for your special ID in the controls collection. As Harv said, you do need to validate all of the input from your controls.

No one can add server controls to your pages unless perhaps your web server was compromised.

TheJuice  2010-04-23 22:06:15
A: 

I think what you answered yourself is not wrong. But I feel like you are still mixing things up a bit (creation/instantiation/definition of controls vs. restoring ViewState/state management).

Maybe the following two pieces of information help clear things up a bit:

I very warmly recommend the second article to anyone using ASP.NET (and thus ViewState).

scherand  2010-04-23 22:24:25

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps