O'Reilly logo

Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB by Stefan Schackow, Bilal Haidar

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

9.3. Fraudulent Postbacks

ASP.NET relies heavily upon postbacks and on the client-side postback logic that the runtime emits. With ASP.NET 1.1, there is a potential security issue with postbacks because the client-side JavaScript that triggers postbacks is easy to modify. This security issue is referred to as the fraudulent postback problem. To illustrate the problem, you can construct a simple page with some ASP.NET controls that use the client-side postback logic.

<form id="form1" runat="server">
<div>
    asp:LinkButton
         ID="btnSensitive" runat="server" Visible=false
         OnClick="btnSensitive_Click">Click Me!</asp:LinkButton>nbsp;
    <br />
    <a href="javascript:fraudulentPostback()">Trigger fraudulent postback</a>
    <br />
    <asp:LinkButton ID="LinkButton1" runat="server">
              Ignore Me!</asp:LinkButton></div>

<script type="text/javascript">
function fraudulentPostback()
{
    var theForm = document.forms['form1'];
    theForm.__EVENTTARGET.value = 'btnSensitive';
    theForm.__EVENTARGUMENT.value = '';
    theForm.submit();
}
</script>

</form>

This ASP.NET page has two LinkButton controls: I chose that control type because LinkButton(s) emit the __doPostBack function and the supporting form variables used by ASP.NET for submitting postbacks. Note that the same issue can also be triggered with less complex server-side controls, such as the Button control, that don't rely on the _doPostBack method. In the sample page, the first LinkButton has its Visible property set to false. Many developers use control visibility ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required