Tech Off Thread

4 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Web Forms - Buffer Overflow

Back to Forum: Tech Off
  • User profile image
    Harlequin

    Are .NET Web Forms immune to someone copying the HTML, changing the field maxlengths and using that new form?(As in a buffer overflow attack)

    Would the server know that the form isn't "real"?

  • User profile image
    Maurits

    maxlengths are a client-side validation technique.  Client-side validation is a convenience for the user, not a real security mechanism.

    If someone has a tool like Fiddler or LiveHTTPHeaders, they can modify the form input values without having to mess with the HTML.

    Validate server-side to protect yourself.  Validate client-side to save the user a trip to the server.

    EDIT: Even without any special tools, simple javascript works:

    javascript: var is = document.getElementsByTagName("input"); for (var i = 0; i < is.length; i++) { is[i].maxLength = 1000; } void(0);

  • User profile image
    Harlequin

    Yeah, I was just going to get the server to chop up the incoming strings(for textboxes for example) to match the maxlength of the textbox.

    I was just wondering if the server knows that the "fake" page someone pulled down and tossed onto their server is the right one. I guess they would then make the action="" of the form to be the page they sucked the HTML from.

  • User profile image
    Maurits

    If someone made a copy of the HTML as a local HTML page, then tweaked it, you'd be able to tell because the HTTP_REFERER header would not be what it should.  But there are other ways to send fake data.

    Basically, never trust a Request object.  Validate all the data server-side before processing, always.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.