• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3784
  • Last Modified:

ASP.Net - Hack viewstate and postback

I'm sure we can see what is inside view state in client site.

But could hacker alter the data stored in view state and post back to server?

For example, I store ID in view state and display information regarding that ID. Then user (hacker) changes ID to some ID and post back to server.

If so, could I please get some solid examples about how to prevent them? Thank you so much for help!!!
0
winmyan
Asked:
winmyan
  • 2
1 Solution
 
tillgeffkenCommented:
Viewstate is hashed but breakable. Use viewstate encryption as described in http://msdn.microsoft.com/en-us/library/aa479501.aspx
0
 
winmyanAuthor Commented:
Hi tillgeffken,

Thank you for your quick response.

<configuration>
   <system.web>
      <pages ViewStateEncryptionMode="Always" />
   </system.web>
</configuration>

Just by doing that view state in all aspx pages will be encrypted. Mainly, no hacker can alter the view state?
0
 
tillgeffkenCommented:
That's correct. At least it will make it very difficult, nothing is impossible. However this is not the right approach to hide data from users. Your website's security should make sure that content is only served to authorized users but that's a totally different story.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now