Click here to Skip to main content
15,616,639 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
I have been struggling at this for weeks. I have built a ASP.NET Web forms application and it is being audited for vulnerabilities.

Burp tool is being used for testing and it is able to intercept and edit the textbox values.

I have a simple form with textbox, button and I enter value "1234" in my txtUserID

Screen dump -

Burp is able to intercept the POST request and edit the txtUserID value [squared in black below]

Screen dump -

After editing the txtUserID textbox, the tampered value is reflected on the application.

Screen dump -

Please help me on how do I fix this vulnerability?

Thanks in advance.

What I have tried:

Site runs on a self signed certificate . MAC has been enabled, Viewstate encrypted application level in the web config [in case its relevant for this]
Updated 21-Nov-21 2:31am
Richard Deeming 22-Nov-21 6:48am    
Consider your threat model here: what precisely are you trying to protect against?

If your application is exclusively served over HTTPS, then the only way anyone can intercept or modify the communication with your server is if they have convinced the user to trust an invalid certificate, or to install a malicious add-in within their browser; or if they have somehow managed to convince a certificate authority to issue a certificate for your site without proper verification.

But if they've done any of those things, then you have much bigger problems to worry about.

1 solution

There's nothing you can do about the act of query string modification. However, just because it can be done, doesn't mean you can't take steps to protect yourself.

Take a look at this: HttpModule to encrypt query strings[^]
Share this answer
Member 14938962 24-Nov-21 15:21pm    
I'm sorry, but I'm trying to figure out how is this an Query string issue. The tampering is happening on the __viewstate
#realJSOP 24-Nov-21 15:45pm    
Where do you think the viewstate gets the parameters? If you only decrypt the query string long enough to use the parameters, all the user will see is the encrypted string in the view state
Member 14938962 25-Nov-21 2:33am    
Thanks for your response. But I don't have querystring values suffixed to the URL. Its just localhost and page name.

https://localhost:PORT NUMBER/Default1.aspx

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900