Click here to Skip to main content
15,868,016 members
Articles / Web Development / ASP.NET
Tip/Trick

The Power of ViewState in ASP.NET

Rate me:
Please Sign up or sign in to vote.
4.17/5 (6 votes)
7 Sep 2012CPOL 33.1K   12   12
How to prevent one-click attacks.

Introduction

One of my client servers was attacked by an 'One-Click Attack'. Do you know what an one-click attack is? I don’t want to annoy you with a long description of it, so I will make it short! An one-click attack is when a hacker creates HTML that includes a form and a link which, when clicked, submits the form to the server being attacked. The hacker use it to then spam the target site.

Solution

In one-click attacks they use third parties. Like emails with content that looks familiar like: "click here to claim your prize". You can set the ViewStateUserKey property on your pages and it will be stored in ViewState. If the page is postback, the runtime checks the ViewState to make sure it’s equal to the current ViewStateUserKey.

Here is an example of a code that can solve your problem:

C#
protected void Page_Init(object sender, EventArgs e)
{
  this.ViewStateUserKey = Request.UserHostAddress;
}

And now attackers can’t copy your hidden field and use it in an one-click attack!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Software Developer (Senior)
Iran (Islamic Republic of) Iran (Islamic Republic of)
Taha has started programming at the age of 16 and he has taken an avid interest in Microsoft technologies. He professionally works on ASP.NET and C#. Mainly, He lives for getting the world into codes and follows this aspiration in a third world country with lack of facility and support. He never gives up seeking success and competence.

Comments and Discussions

 
GeneralMy vote of 1 Pin
CoolVini27-Dec-13 4:18
CoolVini27-Dec-13 4:18 
GeneralRe: My vote of 1 Pin
taha bahraminezhad Jooneghani11-Nov-14 20:28
taha bahraminezhad Jooneghani11-Nov-14 20:28 
GeneralRe: My vote of 1 Pin
CoolVini21-Nov-14 5:48
CoolVini21-Nov-14 5:48 
Questionone click attack Pin
bhargavpp17-Sep-12 19:31
bhargavpp17-Sep-12 19:31 
AnswerRe: one click attack Pin
taha bahraminezhad Jooneghani17-Sep-12 22:19
taha bahraminezhad Jooneghani17-Sep-12 22:19 
GeneralRe: one click attack Pin
bhargavpp17-Sep-12 23:41
bhargavpp17-Sep-12 23:41 
AnswerRe: one click attack Pin
taha bahraminezhad Jooneghani18-Sep-12 0:11
taha bahraminezhad Jooneghani18-Sep-12 0:11 
GeneralRe: one click attack Pin
bhargavpp18-Sep-12 0:14
bhargavpp18-Sep-12 0:14 
QuestionNice Article Pin
kkankala7-Sep-12 5:16
kkankala7-Sep-12 5:16 
AnswerRe: Nice Article Pin
taha bahraminezhad Jooneghani8-Sep-12 9:21
taha bahraminezhad Jooneghani8-Sep-12 9:21 
in some projects you don't want to use session because its become expensive with high traffic!(session use per user and use memory as you know) and the next problem is session time out!
I have this argument when I want to submit this tip!
I hope I can help you with my tip!
GeneralNice Pin
sund7wells19-Mar-12 23:54
sund7wells19-Mar-12 23:54 
GeneralRe: Nice Pin
taha bahraminezhad Jooneghani20-Mar-12 9:24
taha bahraminezhad Jooneghani20-Mar-12 9:24 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.