[Javascript] DevToolbar

[Allard Schripsema]

Thanks everyone for replying this question.

I understand that there is no magic/silver bullet solution for clientside
hacking using javascript or anything alike, but hoped there would be some
tool(serverside) to help protect the pages, not having to check all data
"manually".

Any tips (serverside tools, pagegenerators with build-in checks,
characteristics of certain languages etc) are welcome!

Allard Schripsema
www.VisualDigital.com.br





-----Original Message-----
From: javascript-bounces at LaTech.edu
[mailto:javascript-bounces at LaTech.edu]On Behalf Of Nick Fitzsimons
Sent: Thursday, February 16, 2006 6:55 AM
To: [JavaScript List]
Cc: [JavaScript List]
Subject: Re: [Javascript] DevToolbar



> Is the aspnet viewstate a defence against this kind of pagetampering, or
> does it also simply accept changes? How do other languages protect
> themselves?
> Is there any easy way of protecting the pages against these tools?

As others have pointed out, your server should never trust any information
sent to it by the client, and that includes ASP.NET viewstate. In *any*
JavaScript-capable browser you can type the following into the location
bar (names/ids from viewing the source of blogs.msdn.com):

javascript:void(document.getElementById("__aspnetForm").elements["__VIEWSTAT
E"].value
= "some spurious rubbish")

and the viewstate is invalid. Thus, without any need for "hacker tools",
ASP.NET applications can have their state removed or changed. (Cookies can
be manipulated the same way.)

So you need to ensure that every single character that is submitted to the
server is validated *by the server*, or your application/site is at risk.

Regards,

Nick.
--
Nick Fitzsimons
http://www.nickiftz.co.uk/

_______________________________________________
Javascript mailing list
Javascript at LaTech.edu
https://lists.LaTech.edu/mailman/listinfo/javascript