Search code examples
asp.netsecurityviewstatepage-lifecycledynamic-controls

What prevents a user from adding controls to an ASP.NET page client side?


This goes back to my other question which I thought was sufficiently answers but upon reflect am not sure that it was (sorry).

Backgrounder:

  1. I am generating a form dynamically. I am pulling from the database the controls.

  2. I must associate each control with a database ID which is not the user's session id. I do this currently by storing my ID in the ID for the web control with some other stuff to make it unique/clear what I am doing.

  3. On the post back, I iterate through all the controls on my web page checking for my special identifier, ie, MyGeneratedTextBox_ID_Unique. This process enables for 2 important steps, identifying the control was one I generated and also getting the ID for this input field.

And, all of this works but I'm still concerned about the security of it. I do not see a security issue with showing the actual database ID's in this case, although agree it is not desirable. However, I am concerned of the following possibilities:

  1. If a user could add a nefarious control to my collection and use that for a SQL injection attack.

  2. More academic, but if a user could somehow store data for fields they do not have access too by changing the id's.

I agree this is a "hack" of a way to do it. But my question is, is it a security risk and is there an 'easy' way to do it in a less hack way?

I assume that only the controls that are created/instantiated on the page are added to the controls list.. thus all controls must be created server side and thus the security issue is address but just wanted to validate. Thanks again.

PS: I could see adding a property for each control and encrypting the viewstate would be a little more secure.


Solution

  • I think what you answered yourself is not wrong. But I feel like you are still mixing things up a bit (creation/instantiation/definition of controls vs. restoring ViewState/state management).

    Maybe the following two pieces of information help clear things up a bit:

    I very warmly recommend the second article to anyone using ASP.NET (and thus ViewState).