Is it possible to decode, and it is possible to tamper with the _EVENTVALIDATION field sung in this way? I have got a lot of information about this, but in reality it is not possible to say that the value has been protected from tampering or not. I tried to decode the base 64 and got me reciprocated, so I'm assuming that it is actually encrypted, but if someone knows something and can verify it, then it will be awesome.
I know the viewer is not encrypted (although you can set it). I am not interested in that, I am only interested in eventuality.
I got a similar question: but there was no specific answer about any incident verification field.
Concrete example: I have a dropdown of available reports that the user can run, it has populated with some "members" reports, but some "admin only" reports that are provided during onload, And only connects them if the user is an administrator. When the page is posted back, can I trust the event verification fate to be safe and the user has not done the "only admin" report in the list of acceptable values, or to confirm it in my postback handler Should the user be able to re-examine the actual report that was selected?
First of all, event validation is a backstop protection against XSRF, not against malicious users
If you want to make sure that they can only run reports that they have permission to run, check that they are allowed to run the report at which point you run it Are there.
Second, the event verification data is encrypted and there is a Mac in it to be very hard to tamper with, but trusting it is not the right way to solve your problem.
Comments
Post a Comment