I'm making a simple website that lists files from a certain folder. If the user has admin rights, the user can delete files by clicking the "Delete" button.
In my .aspx file, I have the following code:
<asp:Button runat="server" Text="Delete" OnCommand="FileList_Delete"
CommandArgument='<%#Eval("FilePath")%>' Visible='<%CurrentUserIsAdmin()%>' />
So the button will not be rendered if CurrentUserIsAdmin() returns false.
The button is rendered like this:
<input type="submit" name="ctl00$ctl00$MainContent$LocalMainContent$FileList$ctrl0$ctl17" value="Delete" />
My question is: Can I be sure that this method is safe against a known-code attack if the user modifies the webpage client-side aiming to click this invisible button? Or do I have to take precautions in the code-behind and verify the user's rights in the button-clicked event?
Yes, setting a button's Visible property to false is enough to prevent its Click and Command events from being raised, as long as you don't turn off the default WebForms security features.
You can easily test this by temporarily adding an always-visible <input> element to your .aspx with the same name as the rendered <asp:Button>:
<input type="submit"
name="ctl00$ctl00$MainContent$LocalMainContent$FileList$ctrl0$ctl17"
value="Fake Delete" />
Click the fake Delete button when the real Delete button is invisible. You should get an "Invalid postback or callback argument. Event validation is enabled..." exception.
Important notes:
- Don't set a button's
Visibleproperty to false within anif (!IsPostBack)block because it's possible for an attacker to bypass that check. See this answer for more information. - ASP.NET event validation must be enabled (which it is by default). So don't turn it off by adding
EnableEventValidation="False"to the@Pagedirective or<pages enableEventValidation="false" />to Web.config. - Never ever ever disable view state validation by adding
EnableViewStateMac="False"to the@Pagedirective or<pages enableViewStateMac="false" />to Web.config. This would allow an attacker to tamper with the hidden __EVENTVALIDATION field and do other nasty things. - If you choose a derive a custom Button server control from the standard Button control, make sure you add the
[SupportsEventValidation]attribute to the derived class. - If you choose to create a custom Button server control from scratch, call
RegisterForEventValidationandValidateEventin the appropriate places.
They simply won't see the button or even 'recieve' it. Your server will not generate any button code sent to the person.
You have to think of it this way. The user never sees any asp code or is able to process it. They only receive html. You can further ensure this by looking at the html and seeing what has been generated.
So in that regard you are safe.
My question is: can I be sure that this method is safe against known-code attack if user modifies the webpage client-side aiming to click this invisible button? Or I have to make precautions in CodeBehind and verify user rights in button clicked event?
I personally would also put another piece of code in the click event. Verifying that click comes from the user who is authorized to click that button.
What you could also do is to add a button from code behind as this (Assuming you are putting this button into a panel called pnlButtons):
Button btnDeleteList = new Button();
btnDeleteList.Text = "Delete List";
btnDeleteList.Click += btnDeleteList_Click;
pnlButtons.Controls.Add(btnDeleteList);
In other words, if user is Admin - add a button, if user is not an admin - do not add. In this case you do not have to play around with visibility.
hope this helps.
来源:https://stackoverflow.com/questions/24063316/is-making-an-aspbutton-control-invisible-enough-to-be-sure-users-wont-be-able