ASP.net form tampering is not possible?

Genbox

Hi. I've made a sample ASP.net 2.0 page to demonstate form tampering. But the problem is that i can't get it to work. (normally that should be a good thing). This is my ASP.net page:

value1 value2 and my C# backend page: protected void Page_Load(object sender, EventArgs e) { Response.Write(DropDownList1.Text); } Now, the problem is that when i edit the source of the HTML site that the browser displays, and press the submit button, the newly created value dont get registered on the server as it's supposed to (form tampering). I had already disabled EventValidation as i figured that it would throw me an exception because the HTML source would have changed on the postback. The result i get instead is that the page postbacks and selects the first item in the DropDownList1 instead of the item i created client-side (in the HTML) Do you guys have a solution to this? any help would be nice.

Guffa

When you post the form, only the value from the selected item in the dropdown list is included in the form data, not all the items, and not the entire items. Just that single value. Therefore it's impossible to recreate a list item from the form data. When the page is recreated, the dropdown list is recreated with the options that exists in the original code. Then the selected value that was sent from the form is checked against the items that exist, and as it doesn't match any of those, none of them will be selected.

--- b { font-weight: normal; }

Genbox

That i am aware of. If i select an item, the item will be displayed by Response.Write(DropDownList1.Text). But if i add an extra option manually in the source of the HTML, select it and make a postback, then it's not displayed on the page. That only happens of the control that i am using (dropdownlist) has a runat="server" in it. if i make my own html dropdownlist (HTML select) and fetch the values by using Request.Form, then the values vorks and i can make a form tampering. So asp.net has to do some implicit that i would like to know of.

Guffa

I explained how the items in the dropdown list is created, how the item is selected according to the form data, that an item that does not exist can not be selected, and why you can't add items to the server control by adding them to the html code. You say that you are aware of that, but still you ask why you can't select an item that does not exist. As I already answered that question, you have to explain what it is in my answer that you don't understand.

--- b { font-weight: normal; }

Genbox

I misunderstood what you said. I think I understand it now, you can't retrive data from a server control that has not been declared at the rendering fase of the site, am i correct? But that also mean that i can't create a javascript to populate the dropdownlist and then get it's data by referring to the dropdownlist object? I guess that it's a fair trade of functionality to security.