[Javascript] DevToolbar

[Nick Fitzsimons]

> Is the aspnet viewstate a defence against this kind of pagetampering, or
> does it also simply accept changes? How do other languages protect
> themselves?
> Is there any easy way of protecting the pages against these tools?

As others have pointed out, your server should never trust any information
sent to it by the client, and that includes ASP.NET viewstate. In *any*
JavaScript-capable browser you can type the following into the location
bar (names/ids from viewing the source of blogs.msdn.com):

javascript:void(document.getElementById("__aspnetForm").elements["__VIEWSTATE"].value
= "some spurious rubbish")

and the viewstate is invalid. Thus, without any need for "hacker tools",
ASP.NET applications can have their state removed or changed. (Cookies can
be manipulated the same way.)

So you need to ensure that every single character that is submitted to the
server is validated *by the server*, or your application/site is at risk.

Regards,

Nick.
-- 
Nick Fitzsimons
http://www.nickiftz.co.uk/