3

只是想看看是否有人可以进一步解释这一点。

在microsoft.com 上的支持文章 829743中,他们说:

如果关闭视图状态 MAC 功能,然后将视图状态用于不进行 HTML 编码的控件(例如,标签控件),则攻击者可以篡改视图状态数据并将任意数据置于视图状态。这些任意数据被解码,然后由控件在呈现发布的页面时使用。因此,除非您努力阻止攻击,否则攻击者可以将脚本注入应用程序。例如,攻击者可以解码数据,将脚本注入到 Label 控件所在的数据中,然后从网站链接到该数据。任何单击该链接的人都将成为脚本注入攻击的受害者,该攻击可能会窃取他们的身份验证 cookie 或会话 ID。该脚本还可以让攻击者更改使用视图状态的控件的状态数据,从而可能发生特定于应用程序的攻击。

这对我来说毫无意义。为什么标签控件或任何其他从不更改且不与 http 请求数据交互的静态控件需要视图状态?我认为只有表单控件会使用视图状态。有什么我想念的吗?如果标签控件使用视图状态,那就搞砸了,恕我直言。只是寻找澄清,如果有人可以阐明。也许现在还不够晚,或者我还没有喝足够的啤酒。谢谢!

4

1 回答 1

0

Why would a label control, or any other static control that never changes and doesn't engage with http request data, need viewstate?

First of all viewstate have the Literal, the Label and other controls and use it by default, unless you turn it off for that controls using the EnableViewState="false".

Some reason that I can think of using the viewstate is the caching/saving/keeping the same data for the next post back. Eg. This code will keep the text inside the literal after the post back without setting it again.

<asp:Literal runat="server" EnableViewState="true" ID="txtLiterar">

protected void Page_Load(object sender, EventArgs e)
{
    if (!IsPostBack)
    {
        txtLiterar.Text = "Time of start editing:" + DateTime.Now.ToString();
    }
}

After the post back the control will keep the fist init value.

Why the EnableViewState is on by default, well, you can see the controls as variables that you set your data on code behind and you need to have it again after the postback. Or else why to use controls ? type it directly to the page.

On the other hand, if you understand what you do, and how they work you can turn the viewstate off on most of them - and set them again on the post back.

In this answer I have write some more about the viewstate and where is needed most: How I can deactivate ViewState without Control problems

Now lets go back to the real issue, the security.
If you turn off the validation of the viewstate, now the text that is used for the Literal, is also saved on the viewstate.

Any one can read it and change it (if you do not have secured it) and lets say that change the text

"Time of start editing", to "<script>alert("hello there");</script>", now on the first post back the Literal will render the script and here is the issue that is warning you about.

于 2013-06-01T02:06:45.463 回答