ASP. NET verifies control security risks

This article is to believe too much, ms asp. NET verification controls, and JS verification of a friend of a piece of advice! Please do not use this method to black people.

All the client authentication control of ASP. NET is put in one:

% Systemdrive % \ Inetpub \ wwwroot \ aspnet_client \ system_web \ 2017100004322

The last 11_00004322 directory in JS named webuivalidation. js under the directory is the. NET environment with different versions.

The mechanism for IE to download files is that if the files on the server are not changed, they will not be downloaded again, that is to say, if you modify the file in the cache in some way and the file size does not change, you can crack the client limit of the JS file. It should be ASP. net webuivalidation. JS is not updated frequently (not updated at all)

 

1. Go to your IE cache directory [Internet properties \ General \ Settings button] to see

2. Clear all directories in a directory named content. ie5.

3. Access the ASPX page you want to test (there must be a verification control above)

4. After you see the webpage, you can search webuivalidation [1]. js in content. ie5 (usually called this name)

5. Open whatever you want and find the function validatorcommonsubmit () function.
Change
Event. returnvalue =! Page_blocksubmit;
Cheng
Event. returnvalue = true ;;;;;;;;;;;;;;
The size remains unchanged (-:

6. Save and open the test page and click Submit.

 

Haha, the verification text has come out, but it will still be submitted to the server to see the progress bar under ie. It took you half a day to write the "Regular Expression" and it will be over in just dozens of seconds, cry. If you are not authenticated on the server, it is easy to save illegal data to the server.

I personally think that the MS verification control, is to verify the user data to save the user's time (MS did not say this thing is safe, right) but it is easy to give beginners a safe assumption, because there are a lot of ASP. net friends do not understand JavaScript at all. Specifically, they may not understand HTML.

This may be the negative impact of Microsoft Visual Studio. NET's powerful functions.

This hidden risk does not affect laruence. I personally do not believe in JS script verification data (including self-written data ), it is impossible to perform security verification on the client. Not much.Code.

Test environment: Win2000, Microsoft? . NET Framework 1.1

Address: http://www.goowind.com/Tech/42/Detail_12303_1/