9.3. Fraudulent Postbacks

ASP.NET relies heavily upon postbacks and on the client-side postback logic that the runtime emits. With ASP.NET 1.1, there is a potential security issue with postbacks because the client-side JavaScript that triggers postbacks is easy to modify. This security issue is referred to as the fraudulent postback problem. To illustrate the problem, you can construct a simple page with some ASP.NET controls that use the client-side postback logic.

<form id="form1" runat="server">
<div>
    asp:LinkButton
         ID="btnSensitive" runat="server" Visible=false
         OnClick="btnSensitive_Click">Click Me!</asp:LinkButton>nbsp;
    <br />
    <a href="javascript:fraudulentPostback()">Trigger fraudulent postback</a>
    <br />
    <asp:LinkButton ID="LinkButton1" runat="server">
              Ignore Me!</asp:LinkButton></div>

<script type="text/javascript">
function fraudulentPostback()
{
    var theForm = document.forms['form1'];
    theForm.__EVENTTARGET.value = 'btnSensitive';
    theForm.__EVENTARGUMENT.value = '';
    theForm.submit();
}
</script>

</form>

This ASP.NET page has two LinkButton controls: I chose that control type because LinkButton(s) emit the __doPostBack function and the supporting form variables used by ASP.NET for submitting postbacks. Note that the same issue can also be triggered with less complex server-side controls, such as the Button control, that don't rely on the _doPostBack method. In the sample page, the first LinkButton has its Visible property set to false. Many developers use control visibility ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.