17

Say a ASP.NET page, or any html page for that matter, has a drop down list with a bunch of prices. On posting the page, the code looks at the selection of the drop down list for a computation. Is it possible for someone to alter the values and post the page without the server knowing the page has been tampered with?

Update

I have been told ASP.NET does offer some protection from this with Page.EnableEventValidation Property. With this enabled (enabled by default), trying to change the value of an ASP control will result in an error:

Invalid postback or callback argument.  Event validation is enabled using in configuration or <%@ Page EnableEventValidation="true" %> in a page.  For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them.  If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.

drobison
  • 273
  • 2
  • 7

5 Answers5

32

Dropdown lists are an HTML/UI construct. There isn't any such concept in HTTP, which is how the client and the server ultimately talk to one another.

So, while yes, a client could alter the page, that isn't absolutely required, because there doesn't actually need to be a page. In the end a client simply sends an HTTP request back to the server and it contains some data, and that data could be the values entered into the HTML form, or it could be arbitrary values chosen at the user's whim.

The bottom line is, you can't trust input. Anything sent by the client should be suspect, there's no guarantee that it's what you expect, and it must be validated on the server before acceptance.

Xander
  • 35,525
  • 27
  • 113
  • 141
9

Simply, yes it can be done. User downloads the HTML, modifies the content, and sends the from with modified content.

Make absolutely sure that you are validating all form data before it hits your DB. Depending on your web framework, there is usually a way to limit options to exactly what you specify.

MrSynAckSter
  • 2,020
  • 10
  • 16
  • "there is usually a way to limit options to exactly what you specify.": JSF for example automatically discards any data from a submit that was not in the drop-down list rendered by JSF. – sleske Sep 12 '13 at 09:37
4

If you install a proxy on your client, such as Paros, you could very easily trap the response from your browser before it goes to the server and edit any value - including the option chosen from the drop down form element. Once you have seen how easy this is, you can easily imagine how you could do this in a variety of programmatic ways - including add-ons in the browser if your browser was compromised.

The absolutely only way to guard against this is to check that the value once it arrives at the server i.e. that the value is a valid one.

This is true of all data sent to the server, form data, URL GET path data, even headers.

Browser/client based security is no security at all.

David Scholefield
  • 1,824
  • 12
  • 21
3

If you are using Google Chrome, Simply Right click and Inspect Element.... Then goto that particular select tag, Right click and "Edit as html" to add a new option.

Vishal Chawla
  • 27
  • 3
0

they could inject the data into the response, but if the Server Side code isn't looking for what they are giving, then that is where there injection is halted. Validation in server side code is best.

Malachi
  • 207
  • 1
  • 12