CODEWITHSUNDEEP
asp.netsecuritysql-injectionviewstate
RobD
RobD

Reputation: 1704

Do ASP.Net controls expose SQL Queries via viewstate?

Do controls, that are part of the default ASP.Net control set - ALL use viewstate or controlstate all the time?

i.e. If I drop the code below onto a brand new web form, is my SQL string placed in unencrypted controlstate?

<asp:SqlDataSource ID="mobileData" runat="server" 
        DataSourceMode="DataReader" 
        SelectCommand="SELECT * from ma.bob WHERE Vendor IS NOT NULL" 
/>

I'm aware of how to encrypt viewstate and controlstate, but it seems crazy to me that this common use case could be so horrendously insecure. Surely one could perform a SQL injection attack by modifying the controlstate?

I think most people think of encrypting controlstate for sensitive applications, but actually, if my assumption is true - then it should always be done - and visual studio should enable it by default?

Am I thinking about this correctly, or do I have the wrong end of the stick?

Upvotes: 4

Views: 605

Answers (2)

O.O
O.O

Reputation: 11307

To answer your question, no.
From MSDN

For security purposes, the SelectCommand property is not stored is view state. Because it is possible to decode the contents of view state on the client, storing sensitive information about the database structure in view state could result in an information disclosure vulnerability.

Upvotes: 1

Adrian Iftode
Adrian Iftode

Reputation: 15663

This info is never stored in the ViewState.

Not all properties are created like this 

public string SomeProperty
        {
            get
            {
                object obj = ViewState["SomeProperty"];
                return (obj == null) ? 0 : (string)obj;
            }
            set
            {
                ViewState["SomeProperty"] = value;
            }
        }

SelectCommand here is assigned in a generated C#/Vb class by the PageParser. That class will contain some line like

 mobileData.SelectCommand="SELECT * from ma.bob WHERE Vendor IS NOT NULL"

and this assignment is made every time the page is requested. There is no need for ASP .Net to keep this in ViewState.


However if you do something like

  <asp:HiddenField runat="server" Value="SELECT * from ma.bob WHERE Vendor IS NOT NULL" />

This will go the ViewState (what I said about the parser is true here also, but the setter implements here that ViewState mechanism)

Upvotes: 1

Related Questions