I have a ASP.NET (4.6.2) website that is getting scanned by a tool called "Hailstorm" for checking vulnerability .
This tool is able to tamper my ASP.ENT drop down list and gives exception ( buffer overflow )
Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies
that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback
data for validation.
How can I control this ? Because this value is tampered only after I submit Form. I can have control over value only till I submit form. (client validations)
Page EnableEventValidation="true" is default feature of IIS, which I don't want to change. If I make it false, it may open door for other cross site scripting attacks.
Will below options work ?
1. Bind dropdown dynamically
2. Java script validation before submitting form ?
Please let me know if there is quick way to fix this issue ? Urgent responses will be really appreciated.
Unclear. You are showing the expected behavior for a tampered dropdown (this error means ASP.NET detected that the posted drop down value is not part of the values that were shown when first showing this page).
If you want to solve some other exception (you have a "buffer overflow" exception ???) it would be best to show us this one.
None
0 Points
10 Posts
How to stop ASP.NET dropdown tampering ? for error "Invalid postback or callback argument.Event v...
Feb 08, 2019 11:59 AM|sarang1183|LINK
Hi
I have a ASP.NET (4.6.2) website that is getting scanned by a tool called "Hailstorm" for checking vulnerability .
This tool is able to tamper my ASP.ENT drop down list and gives exception ( buffer overflow )
Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
Original html
<select name="ctl00$MainContent$ddlStatus" id="ctl00_MainContent_ddlStatus">
<option value="X">ALL</option>
<option value="1">COMPLETE</option>
<option value="3">IN PROGRESS</option>
<option value="0">FAIL</option>
<option value="R">REVERSE</option>
</select>
Tampered html by attacker tool after submit button is clicked - >
<select name="ctl00$MainContent$ddlStatus" id="ctl00_MainContent_ddlStatus">
<option value="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!@#$(!@#*!@#)!@#*(<?>":}{+~!)_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">ALL</option>
<option value="1">COMPLETE</option>
<option value="3">IN PROGRESS</option>
<option value="0">FAIL</option>
<option value="R">REVERSE</option>
</select>
How can I control this ? Because this value is tampered only after I submit Form. I can have control over value only till I submit form. (client validations)
Page EnableEventValidation="true" is default feature of IIS, which I don't want to change. If I make it false, it may open door for other cross site scripting attacks.
Will below options work ?
1. Bind dropdown dynamically
2. Java script validation before submitting form ?
Please let me know if there is quick way to fix this issue ? Urgent responses will be really appreciated.
Thank you.
Sarang1183
All-Star
18815 Points
3831 Posts
Re: How to stop ASP.NET dropdown tampering ? for error "Invalid postback or callback argument.Eve...
Feb 11, 2019 05:32 AM|Nan Yu|LINK
Hi sarang1183,
That error occurs if you update generated controls from client side , you can check the explanation and solutions from below links :
https://stackoverflow.com/questions/228969/invalid-postback-or-callback-argument-event-validation-is-enabled-using-page
https://odetocode.com/Blogs/scott/archive/2006/03/22/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx
Best Regards,
Nan Yu
All-Star
48570 Points
18086 Posts
Re: How to stop ASP.NET dropdown tampering ? for error "Invalid postback or callback argument.Eve...
Feb 11, 2019 04:11 PM|PatriceSc|LINK
Hi,
Unclear. You are showing the expected behavior for a tampered dropdown (this error means ASP.NET detected that the posted drop down value is not part of the values that were shown when first showing this page).
If you want to solve some other exception (you have a "buffer overflow" exception ???) it would be best to show us this one.