Click here to Skip to main content
Click here to Skip to main content

The Power of ViewState in ASP.NET

, 7 Sep 2012 CPOL
Rate this:
Please Sign up or sign in to vote.
How to prevent one-click attacks.

Introduction

One of my client servers was attacked by an 'One-Click Attack'. Do you know what an one-click attack is? I don’t want to annoy you with a long description of it, so I will make it short! An one-click attack is when a hacker creates HTML that includes a form and a link which, when clicked, submits the form to the server being attacked. The hacker use it to then spam the target site.

Solution

In one-click attacks they use third parties. Like emails with content that looks familiar like: "click here to claim your prize". You can set the ViewStateUserKey property on your pages and it will be stored in ViewState. If the page is postback, the runtime checks the ViewState to make sure it’s equal to the current ViewStateUserKey.

Here is an example of a code that can solve your problem:

protected void Page_Init(object sender, EventArgs e)
{
  this.ViewStateUserKey = Request.UserHostAddress;
}

And now attackers can’t copy your hidden field and use it in an one-click attack!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

taha bahrami
Web Developer
Iran (Islamic Republic Of) Iran (Islamic Republic Of)
Taha has started programming at the age of 16 and he has taken an avid interest in Microsoft technologies. He professionally works on ASP.NET and C#. Mainly, He lives for getting the world into codes and follows this aspiration in a third world country with lack of facility and support. He never gives up seeking success and competence.
Follow on   Twitter   Google+

Comments and Discussions

 
GeneralMy vote of 1 PinmemberCoolVini27-Dec-13 4:18 
Questionone click attack Pinmemberbhargavpp17-Sep-12 19:31 
AnswerRe: one click attack Pinmembertaha bahrami17-Sep-12 22:19 
GeneralRe: one click attack Pinmemberbhargavpp17-Sep-12 23:41 
AnswerRe: one click attack Pinmembertaha bahrami18-Sep-12 0:11 
GeneralRe: one click attack Pinmemberbhargavpp18-Sep-12 0:14 
QuestionNice Article Pinmemberkkankala7-Sep-12 5:16 
AnswerRe: Nice Article Pinmembertaha bahrami8-Sep-12 9:21 
in some projects you don't want to use session because its become expensive with high traffic!(session use per user and use memory as you know) and the next problem is session time out!
I have this argument when I want to submit this tip!
I hope I can help you with my tip!
GeneralNice Pinmembersund7wells19-Mar-12 23:54 
GeneralRe: Nice Pinmembertahared66620-Mar-12 9:24 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.141015.1 | Last Updated 7 Sep 2012
Article Copyright 2012 by taha bahrami
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid