why event validation exists in ASP.Net

You're browsing without Javascript! If you have no idea what that means, you should ask your technical friend about it.
Otherwise - kudos. The website should work - with the exception of comments. You can learn what they are; however, by visiting /comments.py?postid=blog-why_event_validation_exists
If it doesn't, please contact me and let me know.

01 May 2010 10:53:23 EST

The other day I had cause to trigger an event firing in ASP.Net without actually having the user trigger the event, so I went about figuring out how that worked. It was simpler than I thought it would be, and it got me thinking about triggering events maliciously. I put together a vulnerable sample project, went to trigger it, and ran smack into ASP.Net Event Validation - which exists to thwart this exact attack. Disappointing

But I remembered other cases where I had run into it, and I refreshed myself by reading K Scott Allen's blog posts (first result on google too!). Long story short, even though Event Validation exists, it may not always be turned on - because there are legitimate places where it makes life super annoying.

So here's how to hack it if Event Validation is turned off. And a good reminder to developers why you should think twice before disabling it on a single page (or god forbid - site-wide).

Comments

/comments.py?postid=blog-why_event_validation_exists

Add a comment...

Name: required
E-Mail: required, hidden, gravatared
Website:
Comment: required, markdown enabled (help)

you type:	you see:
italics	italics
bold	bold
[stolen from reddit!](http://reddit.com)	stolen from reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"