Re: Is Hiding Server Controls Enough ?

Actually, I have manged to 'Fake' the postback and cause a hidden button to
fire it's click event with a great deal of ease *suprisingly*.

In another post further to the left, Bruce Barker outlined a simple method,
I tested it and unfortunately you *Can* fake it.

It's unfortunate that we have to use our creative talents to thwart the damn
hackers, but I guess thats life.

--
Best Regards

The Inimitable Mr Newbie º¿º


"Kevin Spencer" <kevin@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23QWKs263FHA.2640@xxxxxxxxxxxxxxxxxxxxxxx
> Yo Mr. Newbie,
>
>> Will this activate the Server side click event for this button regardless
>> of if it has been displayed or not ?
>
> No it will not. It would require a great deal of skill to accomplish
> something like this, if you do it correctly. That is, use an
> HtmlInputButton Control or a Button WebControl (used as a Command Button
> would be best, as this does not create a Submit button, and makes the job
> more difficult for the would-be hacker). These controls use JavaScript to
> send information about themselves in hidden form fields back to the
> server. So, the first obstacle for Sarah would be not only to add a Delete
> button the the HTML, but also to add the appropriate information into the
> hidden form fields. She would also have to enter the correct information
> into the hidden ViewState form field, in order to trick the server into
> reproducing the Page class and Controls as if its previous state had
> included the button. This is because HTTP is stateless. The server relies
> on the Request coming from the client to reproduce its State if the Page
> is posted back. It has to build the Page from scratch with each Request.
>
> Sarah's only resort would be to get on to the computer right after John
> has loaded the page in the state she wants, and to copy the HTML to
> another file she could hide somewhere. Then, when John is gone, she could
> pull up the page with John's information in it, and merge the HTML to
> create the state she needs. Of course, this could be accounted for by a
> clever developer as well.
>
> In short, using Server Controls would indeed be your best bet.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> A watched clock never boils.
>
> "Mr Newbie" <here@xxxxxxx> wrote in message
> news:O640KM63FHA.2600@xxxxxxxxxxxxxxxxxxxxxxx
>> OK, thanks for the reply. I do intend to use access control but I think
>> perhaps I didnt make myself clear enough.
>>
>> Lets say that we have two users 'Jon' and 'Sarah'. John may delete
>> anything but 'Sarah' may only delete her own work.
>>
>> Before the form is rendered, the control logic determines that this
>> document belongs to 'Jon' but that it is 'Sarah' who has opened it.
>> Therfore the logic sets the Visible property of the 'Delete' button to
>> False so it is not rendered to the client.
>>
>> However, 'Sarah' is feeling evil today and decides to enter the tags
>> she's seen before on her own documents and loads the page, or at least
>> somehow manages to add this object into the document displayed and invoke
>> its click event
>>
>> Will this activate the Server side click event for this button regardless
>> of if it has been displayed or not ?
>>
>> Regards Mr Newbie . . .
>>
>>
>> "John Timney ( MVP )" <timneyj@xxxxxxxxxxxxx> wrote in message
>> news:%233IMdE63FHA.2364@xxxxxxxxxxxxxxxxxxxxxxx
>>> no - hiding is not enough,as someone could simply reconstruct your
>>> hidden elemtns.
>>>
>>> At the least you need to use some form of access control, to verify who
>>> the logged in user user is and then display the controls or not based on
>>> that role.
>>>
>>> --
>>> Regards
>>>
>>> John Timney
>>> ASP.NET MVP
>>> Microsoft Regional Director
>>>
>>> "Mr Newbie" <here@xxxxxxx> wrote in message
>>> news:%23r9IlB63FHA.3636@xxxxxxxxxxxxxxxxxxxxxxx
>>>>I was thinking about developing a workflow application yesterday and was
>>>>musing over the different approaches than one could take in restricting
>>>>specific actions on a ticket( Form ) at any said stage.
>>>>
>>>> One approach I have used on other systems is to prevent the action
>>>> buttons appearing. For example, if one did not have the Role of
>>>> Administrator, one would be prevented from deleting a ticket not
>>>> created by oneself.
>>>>
>>>> However, it did occur to me that there was a possibility of manually
>>>> constructing the button code in the page which has been rendered to the
>>>> client.
>>>>
>>>> If you have a button which was visible=false ( Not HTML hidden ), then
>>>> would it be possible to invoke the backend function by manually adding
>>>> the tag/id etc for this button ?
>>>>
>>>> I guess I could experiement, but I wondered if there was an instant
>>>> answer available ?
>>>> --
>>>> Best Regards
>>>>
>>>> The Inimitable Mr Newbie º¿º
>>>>
>>>
>>>
>>
>>
>
>


.