locked
How to stop ASP.NET dropdown tampering ? for error "Invalid postback or callback argument.Event validation is enabled .............." RRS feed

  • Question

  • User706407582 posted

    Hi

    I have a ASP.NET (4.6.2) website that is getting scanned by a tool called "Hailstorm" for checking vulnerability .
    This tool is able to tamper my ASP.ENT drop down list  and gives exception ( buffer overflow )

    Invalid postback or callback argument.  Event validation is enabled using <pages enableEventValidation="true"/> in configuration or  <%@ Page EnableEventValidation="true" %> in a page.  For security purposes, this feature verifies that arguments to postback or callback  events originate from the server control that originally rendered them.  If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.

    Original html

    <select name="ctl00$MainContent$ddlStatus" id="ctl00_MainContent_ddlStatus">

    <option value="X">ALL</option>

    <option value="1">COMPLETE</option>

    <option value="3">IN PROGRESS</option>

    <option value="0">FAIL</option>

    <option value="R">REVERSE</option>

    </select>

    Tampered html by attacker tool  after submit button is clicked - >

    <select name="ctl00$MainContent$ddlStatus" id="ctl00_MainContent_ddlStatus">

    <option value="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!@#$(!@#*!@#)!@#*(<?>":}{+~!)_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">ALL</option>

    <option value="1">COMPLETE</option>

    <option value="3">IN PROGRESS</option>

    <option value="0">FAIL</option>

    <option value="R">REVERSE</option>

    </select>

    How can I control this ? Because this value is tampered only after I submit Form. I can have control over value only till I submit form. (client validations)

    Page EnableEventValidation="true" is default feature of IIS, which I don't want to change. If I make it false, it may open door for other cross site scripting attacks.

     Will below options work ?
    1. Bind dropdown dynamically
    2. Java script validation before submitting form ?

    Please let me know if there is quick way to fix this issue ? Urgent responses will be really appreciated.

    Thank you.
    Sarang1183

    Friday, February 8, 2019 11:59 AM

All replies