This dropdown lists all users of my application. If a logged in user is non-admin then the dropdown should be disabled, and if a user is admin then the dropdown should be enabled. (I know, its a bad design, but its the way it was developed)
The problem is that, any non-admin user with little knowledge of CSS can open a developer tool (or firebug) and can enable that dropdownlist easily.
If the permissions are properly controlling everything, then its ok but still you can hide the dropdown instead of disabling it, if the user is non admin. This way it will not be part of the html, so no one can see it. Or you can add it dynamically for admin
user only.
Please Mark As Answer if it helped.
MCPD ASP.NET 4.0 and 3.5, MCTS WSS, MOSS, SharePoint 2010, MCT
Microsoft Community Contributor Award 2011
nirman.doshi
Participant
1520 Points
775 Posts
Hacking: Disabled dropdown can be enabled by malicious user
Jul 04, 2012 12:12 PM|LINK
I have asp:DropDownList control in my website.
This dropdown lists all users of my application. If a logged in user is non-admin then the dropdown should be disabled, and if a user is admin then the dropdown should be enabled. (I know, its a bad design, but its the way it was developed)
The problem is that, any non-admin user with little knowledge of CSS can open a developer tool (or firebug) and can enable that dropdownlist easily.
Anyone has idea of how to overcome this?
Thanks
Software Developer
Vadodara, India
hariharakris...
Member
76 Points
32 Posts
Re: Hacking: Disabled dropdown can be enabled by malicious user
Jul 04, 2012 12:16 PM|LINK
well Mr.nirman.doshi
I ask you one thing, didn't the application is written to check the user previlages before executing a submit operation which is recieved to the page?
if it is done, let him to do any thing with the firebug.
adeelehsan
All-Star
18217 Points
2722 Posts
Re: Hacking: Disabled dropdown can be enabled by malicious user
Jul 04, 2012 12:21 PM|LINK
If the permissions are properly controlling everything, then its ok but still you can hide the dropdown instead of disabling it, if the user is non admin. This way it will not be part of the html, so no one can see it. Or you can add it dynamically for admin user only.
MCPD ASP.NET 4.0 and 3.5, MCTS WSS, MOSS, SharePoint 2010, MCT
Microsoft Community Contributor Award 2011
hariharakris...
Member
76 Points
32 Posts
Re: Hacking: Disabled dropdown can be enabled by malicious user
Jul 04, 2012 12:25 PM|LINK
Ofcourse Mr.adeeleshan. Doing this is a casual practise and a good one too.
Ruchira
All-Star
42876 Points
7013 Posts
MVP
Re: Hacking: Disabled dropdown can be enabled by malicious user
Jul 05, 2012 11:20 AM|LINK
Hello,
Set the Visible="false" for that particualr dropdownlist so it will not get rendered at the client side.
My Tech blog | TwitterPlease 'Mark as Answer' if this post helps you.