Last post Feb 11, 2019 04:11 PM by PatriceSc
Feb 08, 2019 11:59 AM|sarang1183|LINK
I have a ASP.NET (4.6.2) website that is getting scanned by a tool called "Hailstorm" for checking vulnerability .
This tool is able to tamper my ASP.ENT drop down list and gives exception ( buffer overflow )
Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies
that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback
data for validation.
Tampered html by attacker tool after submit button is clicked - >
How can I control this ? Because this value is tampered only after I submit Form. I can have control over value only till I submit form. (client validations)
Page EnableEventValidation="true" is default feature of IIS, which I don't want to change. If I make it false, it may open door for other cross site scripting attacks.
Will below options work ?
1. Bind dropdown dynamically
2. Java script validation before submitting form ?
Please let me know if there is quick way to fix this issue ? Urgent responses will be really appreciated.
Feb 11, 2019 05:32 AM|Nan Yu|LINK
That error occurs if you update generated controls from client side , you can check the explanation and solutions from below links :
Feb 11, 2019 04:11 PM|PatriceSc|LINK
Unclear. You are showing the expected behavior for a tampered dropdown (this error means ASP.NET detected that the posted drop down value is not part of the values that were shown when first showing this page).
If you want to solve some other exception (you have a "buffer overflow" exception ???) it would be best to show us this one.