Security problem in a asp.net webpage
I am using a button to do postback
<asp:Button ID="SendButton" Enabled="True" Width="70" runat="server" PostBackUrl='<%# Eval("GroupName", "SendMessage.aspx?GroupName={0}") %>' Text='Send'></asp:Button>
to send the GroupName to SendMessage.as开发者_开发百科px page. But I feel it is vulnerable to attack, something like spoofing (correct me if i am wrong).
http://localhost:40092/SurelyK/SendMessage.aspx?GroupName=Acc
The Url contains the groupname which can be changed by attackers How can I prevent my website from such attack. give me some suggestions pls.
The usual method to protect against this is to validate your inputs on the server side, where malicious clients can't do anything. If you see an invalid group name on the server, you can just return a page saying so, rather than performing whatever processing you would for a valid group name.
If you don't expect the values to change, then you can store the data either in ViewState
(which is encrypted) or in the Session
(which is stored on the server, and is inaccessible to clients.)
Given that you have a button for submitting this information, though, I think proper server-side validation is the correct path.
As well, if you haven't secured this page by requiring authentication and authorization, then you should of course do so as well, so that only users you know and trust can access the page regardless.
How about using Session
variables to hold relevant data instead? Session data persists across multiple pages, until the session ends.
I've never heard of Session variable tempering.
精彩评论