ReBuildAll Blog
Thoughts (mostly) on .NET development

Tampering with ASP.NET disabled controls   (ASP.NET)   
Ever disabled a control because of say authorization reasons? For example, some users might not have the necesarry rights to edit some detail of a data item, while other users can edit it. If you solve this scenario by simply using disabled controls, without any further data check when you update the values on the server side, you might be surprised that it is not really an effective way.

You see, the values sent to the server control can be tampered with. There are really good tools to do this, for example, TamperIE for Internet Explorer. Similar tools are available for Firefox as well as extensions.

All of these tools allow you to change (read: insert, delete or update) any form values that are sent when doing an HTTP POST request.

Now under normal conditions when you set a TextBox to disabled, it will not send the value to the server. This is actually a feature of the HTML standard, which says that disabled controls should never send their values when submitting a form.

However, with TamperIE, you can insert values into the POST value list. And ASP.NET will read the values from this list, regardless of the control being disabled or not. If you simply update your data item with the values from controls, your application might be vulnerable to this kind of spoofing attacks.

Example

Suppose we have the following ASP.NET code:

a picture in a bl0g

You can see two text boxes, one of them disabled. When you press the button, the following code is executed:

        protected void Button1_Click ( object sender, EventArgs e )
        {
            labelEnabled.Text = txtEnabled.Text;
            labelDisabled.Text = txtDisabled.Text;
        }


The code feeds the values from the text boxes into labels, but it could just as well update some data item and save the changes into a database.

Under normal conditions the labelDisabled control will have the "constant" text that was put into the txtDisabled text box, by the server. However, start playing with the parameters, and you can change that value as well.

After you have installed TamperIE, when you do a form post, the following window will appear:

a picture in a bl0g

This window allows modifying the parameters that are to be sent to the server. You can then choose to send the original or the altered values. In the screenshot above you can already see that I added the txtDisabled parameter to the collection of parameters, and set its value to Hello world!. As a result my labelDisabled will display that value (also the text box) after I submit the values to the server and get back an updated page.

Solution?

There are two solutions how you can avoid this kind of attack.

First, you can just not use a TextBox control. This might or might not be an available solution in your case. Using a Label will prevent invalid values from entering into the server by altering parameters.

But a better way is to always validate any data received on the server side. If the text box was disabled because the user is not authorized to modify that value make sure you never use or update that value when the POST occurs.

MVC?

Can this affect applications based on the ASP.NET MVC Framework? The short answer is: yes it can. If for example you use the UpdateModel method when processing data, it will read the values from POST paremeters. As a result, tampering with the POST values will also affect what gets updated into the model. In fact in a way it is much easier to trick the system into processing parameters - given that you know what to name them.

 

Comments

There are no comments for this blog entry.