ASP.NET verification control security hidden dangers

zhaozj2021-02-16  102

This article is an advice to a friend who exports, MS ASP.NET verification control, and JS verification! Please do not use this method to go black.

All client authentication controls in ASP.NET are placed:

% SystemDrive% / inetpub / wwwroot / askNET_CLIENT / SYSTEM_WEB / 1_1_4322

The last 11_1_4322 directory in the JS of Webuivalidation.js is different .Net environment is different .NET environment.

The mechanism for IE downloading file is that if the server file does not change, it will not re-download, that is, if the file is modified by a certain method and the size does not change, it can break the client limit of the JS file, and should be ASP. Net's WebuiValidation.js will not be updated frequently (not updated at all)

1. Go to your IE Cache Directory [Internet Properties / Regular / Set Button]

2, clear all the directory in the directory of Content.ie5 inside

3. Access the ASPX page you want to test (above must have the type of verification control)

4. After seeing the webpage, you can search for Webuivalidation in Content.ie5 [1] .js (generally called this name)

5, what is going to open, find the function validatorcommonsubmit () function to change Event.ReturnValue =! Page_blocksubmit; becoment.ReturnValue = true ;;;;;;;;;;;;; size unchanged (-:

6. Save in the test page just now, click to submit it.

Oh, the text has already come out but still submits the server to the server. The progress bar under IE will look. If you spend a "regular expression" written in half a day, it is Over in just a few hours, cry. If you have no verification on the server, you can easily save illegal data to the server.

Personally think that the MS verification control is to verify the time of user data saving users (MS does not say this thing is safe), but it is easy to give beginners a safe imagination, because now there is a lot of ASP.NET friends roots I don't know how JS is exactly, I may not understand html. Oh, this may be the negative impact of Microsoft Visual Studio .Net powerful functions.

This hidden danger does not have anything to the old bird, anyway, I personally do not believe that JS script verification data (including yourself), can't be safe in the client authentication, or if you have to verify it or Change the enableclientscript property of the verification control to False. I can't write more code.

Test environment: Win2000, Microsoft? NET Framework version 1.1

转载请注明原文地址:https://www.9cbs.com/read-16139.html

New Post(0)