Re: Is Hiding Server Controls Enough ?

Thanks for that reply.

In essence, we are saying that it is technically possible, but highly
unlikely that a hacker would go to these lengths. At least not unless the
information contained was so inviting as to entice the would-be hacker to
have ago.

> the would-be hacker). These controls use JavaScript to send information
> about themselves in hidden form fields back to the server. So, the first

What information would it be ?, I guess its some sort of context mapping
which tells the server which server control is being mapped to which client
side field etc ???

Thanks again for taking the time to reply. I guess when I'm designing
systems I like to think from the hackers point of view as much as possible.
I suppose that says something about my mind set, but I would like to think
its from a defensive and positive point of view rather than from a
criminality angle!

Cheers - Mr Newbie . . .





"Kevin Spencer" <kevin@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23QWKs263FHA.2640@xxxxxxxxxxxxxxxxxxxxxxx
> Yo Mr. Newbie,
>
>> Will this activate the Server side click event for this button regardless
>> of if it has been displayed or not ?
>
> No it will not. It would require a great deal of skill to accomplish
> something like this, if you do it correctly. That is, use an
> HtmlInputButton Control or a Button WebControl (used as a Command Button
> would be best, as this does not create a Submit button, and makes the job
> more difficult for the would-be hacker). These controls use JavaScript to
> send information about themselves in hidden form fields back to the
> server. So, the first obstacle for Sarah would be not only to add a Delete
> button the the HTML, but also to add the appropriate information into the
> hidden form fields. She would also have to enter the correct information
> into the hidden ViewState form field, in order to trick the server into
> reproducing the Page class and Controls as if its previous state had
> included the button. This is because HTTP is stateless. The server relies
> on the Request coming from the client to reproduce its State if the Page
> is posted back. It has to build the Page from scratch with each Request.
>
> Sarah's only resort would be to get on to the computer right after John
> has loaded the page in the state she wants, and to copy the HTML to
> another file she could hide somewhere. Then, when John is gone, she could
> pull up the page with John's information in it, and merge the HTML to
> create the state she needs. Of course, this could be accounted for by a
> clever developer as well.
>
> In short, using Server Controls would indeed be your best bet.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> A watched clock never boils.
>
> "Mr Newbie" <here@xxxxxxx> wrote in message
> news:O640KM63FHA.2600@xxxxxxxxxxxxxxxxxxxxxxx
>> OK, thanks for the reply. I do intend to use access control but I think
>> perhaps I didnt make myself clear enough.
>>
>> Lets say that we have two users 'Jon' and 'Sarah'. John may delete
>> anything but 'Sarah' may only delete her own work.
>>
>> Before the form is rendered, the control logic determines that this
>> document belongs to 'Jon' but that it is 'Sarah' who has opened it.
>> Therfore the logic sets the Visible property of the 'Delete' button to
>> False so it is not rendered to the client.
>>
>> However, 'Sarah' is feeling evil today and decides to enter the tags
>> she's seen before on her own documents and loads the page, or at least
>> somehow manages to add this object into the document displayed and invoke
>> its click event
>>
>> Will this activate the Server side click event for this button regardless
>> of if it has been displayed or not ?
>>
>> Regards Mr Newbie . . .
>>
>>
>> "John Timney ( MVP )" <timneyj@xxxxxxxxxxxxx> wrote in message
>> news:%233IMdE63FHA.2364@xxxxxxxxxxxxxxxxxxxxxxx
>>> no - hiding is not enough,as someone could simply reconstruct your
>>> hidden elemtns.
>>>
>>> At the least you need to use some form of access control, to verify who
>>> the logged in user user is and then display the controls or not based on
>>> that role.
>>>
>>> --
>>> Regards
>>>
>>> John Timney
>>> ASP.NET MVP
>>> Microsoft Regional Director
>>>
>>> "Mr Newbie" <here@xxxxxxx> wrote in message
>>> news:%23r9IlB63FHA.3636@xxxxxxxxxxxxxxxxxxxxxxx
>>>>I was thinking about developing a workflow application yesterday and was
>>>>musing over the different approaches than one could take in restricting
>>>>specific actions on a ticket( Form ) at any said stage.
>>>>
>>>> One approach I have used on other systems is to prevent the action
>>>> buttons appearing. For example, if one did not have the Role of
>>>> Administrator, one would be prevented from deleting a ticket not
>>>> created by oneself.
>>>>
>>>> However, it did occur to me that there was a possibility of manually
>>>> constructing the button code in the page which has been rendered to the
>>>> client.
>>>>
>>>> If you have a button which was visible=false ( Not HTML hidden ), then
>>>> would it be possible to invoke the backend function by manually adding
>>>> the tag/id etc for this button ?
>>>>
>>>> I guess I could experiement, but I wondered if there was an instant
>>>> answer available ?
>>>> --
>>>> Best Regards
>>>>
>>>> The Inimitable Mr Newbie º¿º
>>>>
>>>
>>>
>>
>>
>
>


.