I'm no hacker. But in order to write secure web applications I try to get into the mindset of one.
Here's my current challenge: I've got a web application that should allow connections from the internet. It should use forms authentication and run under a specific windows user account. In other words: the IIS application requires “Anonymous Access”.
But... here's the catch - in some instances the application should be able to retrieve the current connected client's username. With “Anonymous Access” enabled this isn't possible, because Internet Explorer won't post the LOGON_USER session variable!
Ok... one way around this would be to write an ActiveX component that can detect the username and put it in a hidden textbox. Then post the hidden textbox value to the server.
Now, a hacker's question - “Can I modify that hidden textbox's value before posting to the server?” That way I can spoof some other user. Unfortunately this is very simple. You can add a bookmark/favorite that will execute javascript! On [this site] you'll find a lot of interesting scripts.
Among other things you can easily do the following -
- Show hidden text fields.
- Show contents of password fields
- Re-enable disabled controls
- Remove maximum length bound on a textbox
All with some simple javascript. Any monkey can do this. Scary stuff! This is why it's very important to validate on the client AND the server. Luckily this is done automatically using the ASP.NET validator controls.