Geek Answers Handbook

Safe implementation of Page.IsPostBack?

Following my previous question regarding whether the default ASP.NET implementation is safe .IsPostBack (it is not, it can be faked ... The HTTP verb doesnโ€™t even have to be POST!), I thought; should there really be a better way to implement it? Can we come up with a Page.IsPostBack implementation that, when true, is almost guaranteed to indicate that the page is the actual ASP.net postback? This is important if you want to do a security check only once (for example, whether any content based on the user's role will be displayed), and wants to do this only if we are NOT dealing with ASP.net postback.

My first thoughts on how to do this is to implement the verification code in the property, so I can write something like this inside Page_Load :

 if (!_isPostBack) { // Do security check if (userIsNotAuthorized) { btnViewReports.Visible = false; btnEditDetails.Visible = false; // etc. } }

Is there a way to safely implement _isPostBack ? Perhaps something is a repository in ViewState that would be difficult or impossible for jerry-rig to fake postback? Random string?

+5
security c # postback
source share
3 answers

OK, thatโ€™s what I think is the solution: PageIIPostBack is already quite safe as long as event checking is enabled. Let me explain my reasoning below, and I would be glad if someone added a comment, if I got something wrong.

In order for the mail response to be sent to ASP.net and the OnClick control to be OnClick , when event checking is enabled, the client must send the __EVENTVALIDATION form __EVENTVALIDATION . This field contains a unique string that basically tells ASP.net which controls the postback event for this page that may have originated from. If you try to fake a .Visibility = false for the button on which .Visibility = false , you will see an error message checking events. So it seems like you cannot directly spoof a click on a hidden control.

How about replacing the postback of one of the existing buttons on the page that you selected (i.e. you have permission to view / click on it)? Well, you can send a back link to the page, but you need to send a valid __VIEWSTATE or you just get a "status information" error. To have a valid __VIEWSTATE , you already need to load the page as unsent, right? This means that the security check code will be executed at least once, hiding the corresponding controls and writing them to __VIEWSTATE . That way, when you send the spoof postback, yes, it will cause the Page.IsPostBack value Page.IsPostBack be true, but it doesnโ€™t matter since the __VIEWSTATE presented __VIEWSTATE already generated at the previous load without postback to hide the content that you should not have access to ... so you can fool the __VIEWSTATE , but only by passing __VIEWSTATE , which was previously generated by loading without postback.

So, because of these facts, it should be safe only to put the security verification code inside the Page.IsPostBack == false block. This should always be run once before a valid postback can be sent to the ASP.net server. Or am I missing something?

+1
source share

I had a project a couple of years ago when we had some kind of penetration test done in code. They noted the fact that, by default, IsPostback does not check the http verb. To solve this problem, I created an abstract page class with its own implementation of IsPostback , which obscures the default implication:

 Public Class ProjectPage : System.Web.UI.Page public new bool IsPostBack() { return (Page.IsPostBack && Request.HttpMethod.ToUpper() == "POST"); } End Class

This allows testing on the http-verb, but you can easily extend this method and perform other checks.

+2
source share

Cookie is a much better mechanism for your needs. A cookie is a token that could only be created by the server and provided certain requirements for the token holder, for example, a recently signed one and the presence of certain permissions and / or preferences. Some of these features are built into FormsAuthentication. You can implement your own cookie mechanism, but you should investigate secure cookie protocols, as there are several unobvious security considerations.

The advantage is that you do not need to go to the database for each request, you just trust it. It can also be a good strategy to weather certain DoS attacks, because you can configure your application so that a specialized device in front of the application servers checks tokens and issues incorrect requests.

If cookies are not allowed, you can send the token as part of the URL, as formauth allows, or as a form field in your postback. But it will help more to manage cookies, IMHO, as soon as you are faced with the problem of creating the correct token.

0
source share

More articles:


All Articles