 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / April 2006Security of Data in Combo in .net
Hello, I am testing a .aspx page in which there is a Combo box in which there are say 10 options, if I select any option say 6th, and post the .aspx form and intercept the form in the Intercepting proxy (BURP PROXY) Now the parameter corresponding to the combo is taking the numeric value and if I insert indefinate numeric value in the interception. Now my question is 1. Is there any default behaviour in .net that the option which I selected in the client side is reset to the first option of the combo, if data is entered indefinately on interception 2. If any validation to be performed in this case so that either form will give user defined message and will not be posted or the option is selected as it is. Thank you There is no automatic mechanism for verifying that the value passed from the client is a value that is available in the list. If you wish to verify this, you will need to add appropriate validation. > Hello, > I am testing a .aspx page in which there is a Combo box in [quoted text clipped - 17 lines] > > Thank you in 2.0 there is event validation - if a client, e.g. posts a value of a listbox back to the server that wasn't originally there - you get an ArumentException otherwise SelectedValue would be "" --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Hello, > I am testing a .aspx page in which there is a Combo box [quoted text clipped - 16 lines] > > Thank you Unfortunately, event validation forces list contents into the __EVENTVALIDATION hidden input, which can have performance consequences, particularly for longer lists. It also makes it quite a bit more difficult for other applications to submit requests to a page. Even if one accepts these consequences at original release, it's the sort of thing that a maintenance programmer might be likely to disable at some point in the future. Basically, I'd see this as a convenient bit of protection for those who didn't think of adding any protection at all, but I'd be very hesitant to rely upon it as the sole validation mechanism... > in 2.0 there is event validation - > if a client, e.g. posts a value of a listbox back to the server that [quoted text clipped - 26 lines] >> >> Thank you right. it is a defense in depth measure. it protects the application from sloppy programming style. especially by guarding against postback events for hidden or disabled controls. but the OP was asking for options. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Unfortunately, event validation forces list contents into the > __EVENTVALIDATION hidden input, which can have performance [quoted text clipped - 36 lines] >>> >>> Thank you I read the original question quite differently but, on re-read, it seems my grumpy broken leg was doing most of the thinking at the time... ;) > right. it is a defense in depth measure. > [quoted text clipped - 47 lines] >>>> >>>> Thank you As an option, you could very easily subclass the listbox to add this validation. Greg > Hello, > I am testing a .aspx page in which there is a Combo box in [quoted text clipped - 17 lines] > > Thank you Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.