我在某处读到它可以修改视图状态,但我没有找到实现它的步骤。
例如:我想修改标签的视图状态,最初的标签文本是“Hi..”,我想通过在回发时修改它的视图状态将其更改为“Hello”。
任何建议将不胜感激。
问问题
2821 次
5 回答
4
I'm guessing you're talking about maliciously modifying the __VIEWSTATE hidden field as an end user, not modifying the ViewState from within code. This may or may not be feasible (hopefully not), depending on some of your application's settings. The two that are going to make it pretty hard are EnableViewStateMac and ViewStateEncryptionMode. These are often set on the <pages> element in Web.config.
ViewStateEncryptionMode is not really designed to prevent ViewState tampering; it's meant to obscure whatever content you have embedded in ViewState. For example, if you decided to add some secret information about yourself to ViewState (e.g., ViewState["secretinfo"] = "My social security number is xxx-xx-xxxx.";), any user that comes along and loads your page can take your __VIEWSTATE field and run it through a base64 decoder to find your social security number—unless, of course, you're encrypting ViewState.
As an example, here's a .aspx page I found through a simple Google search. View source, grab the ViewState, and paste it into this base64 decoder. Among a few ugly characters, you'll find a bunch of plain text. This ViewState has obviously not been encrypted (which is probably not a bad thing).
Now, if you were a curious or possibly malicious person, you might try to modify some of the text you found in the ViewState, re-encode it as base64, and plop it back into the __VIEWSTATE field. (In many browsers, just open the JS console and type document.querySelector("[name=__VIEWSTATE]").value = "whatever your base64 text is";.) Now when you submit the form, the page will post back with the modified ViewState.
This is where EnableViewStateMac comes into play. As MSDN notes, this setting should always be enabled on a production site, as this is the setting that's meant to prevent malicious folks from tampering with the __VIEWSTATE field. To oversimplify, it basically calculates a hash (actually a message authentication code) of the __VIEWSTATE value and sends this alongside the __VIEWSTATE. (It's embedded at the end of the string and doesn't decode back to a nice plain-text string.) If you modify some text within the __VIEWSTATE, the message will no longer match the MAC, and .NET will catch this and throw an exception before you even have a chance to process the request.
TL;DR
As long as you have EnableViewStateMac on (which you should), you can't really modify the __VIEWSTATE field.
于 2012-05-28T15:25:55.453 回答
1
您可以通过在代码隐藏中设置标签对象的 Text 属性来更改标签的视图状态。内置 ASP.NET 控件的大多数属性都由 viewstate 支持,因此设置属性将间接更改该控件的 viewstate。
在您的 .aspx 中:
<asp:Label id="myLabel" Text="Hi.." />
在您的 .aspx.cs 中:
myLabel.Text = "Hello";
于 2012-05-28T14:18:46.037 回答
1
您不能重置 PostBack 事件的值吗?比如:
mylabel.Text = "你好";
于 2012-05-28T14:18:52.417 回答
1
视图状态存储在页面上的隐藏字段中。虽然视图状态以散列格式[编码格式]存储数据,因此使用正确的值进行修改并不容易,并且会导致视图状态回火。
您需要修改 Viewstate,您需要了解正确的编码和解码算法。
所以不要试图修改视图状态。
于 2012-05-28T14:23:27.907 回答
0
简短的回答是你可以。
要修改视图状态,您基本上必须:
- 反序列化视图状态
- 识别与标签文本关联的键/值对(此时它是一个包含键/值对的 Xml 字典)
- 调整
- 序列化视图状态
本文对解析视图状态进行了更深入的研究。它还包括对可用于解析/解码视图状态的工具的引用:了解 ASP.NET 视图状态。
于 2012-05-28T15:04:17.600 回答