Home > General > Postback and hiding fields

Postback and hiding fields

I recently stumbled across some ASP.NET code that looks similar to this:

protected void Page_Load(object sender, EventArgs e)
{
    if (!IsPostBack)
    {
        if (!HasPermissions())
            HideSensitiveFields();
    }
}

The code here checks if this is a normal page load and not a postback. If this is the initial page load, it’ll check if the user may see sensitive (administrative) fields and hides them if the user does not have the appropriate permissions.

The problem is that it assumes all initial page loads will enter the !IsPostBack conditional block. Postback can be faked by passing in a few select query strings, such as __EVENTTARGET.

This problem can be solved using event validation, encrypted viewstate, and other better coding practices, but that’s a different subject and I won’t dive into those in this post.

http://localhost:8080/Default.aspx?__eventtarget=

By default, ASP.NET doesn’t check the HTTP verb, so we can pass a few select query string parameters and essentially spoof a postback. The URL above would bypass the !IsPostBack conditional block, allowing access to the sensitive fields.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: