0

Does ASP.NET use a mechanism for disallowing manipulation of data between client and server?

If not, does it mean we should use SSL? What kind of attacks can SSL prevent?

If yes what is this mechanism?

Shadow The GPT Wizard
  • 66,030
  • 26
  • 140
  • 208
Arian
  • 12,793
  • 66
  • 176
  • 300
  • 1
    SSL protects data between server & client. At the both ends you are unprotected, communication data can be revealed, easily, even by a kid which one uses Fiddler like tool. SSL cert cannot protect you. – Nime Cloud Mar 05 '12 at 22:33

3 Answers3

4

No, the ASP.NET webforms and mvc frameworks do nothing to protect transport of data between client and server. The viewstate is an encrypted piece of data in webforms, but that does not mean it can't be tampered with on the way to the server or client. The short answer is to use at least 128 bit ssl using a CA signed certificate if you want to prevent man in the middle attacks.

JeremyWeir
  • 24,118
  • 10
  • 92
  • 107
  • are there differences in coding befor and after using SSL? – Arian Aug 24 '11 at 06:07
  • The main thing to consider when creating your pages is to not embed http resources in a page that will be viewed under https. Browsers will complain about mixed security – JeremyWeir Aug 24 '11 at 16:51
1

To disallow data manipulation between client and server, you have to have a way for the server to detect such manipulation. For viewstates this can be enabled in asp.net by making sure the viewstates have mac and encryption enabled. Oh, and you should also set a viewstateuserkey.

For other parameters however, an attacker can manipulate the parameters. So use SSL/TLS. SSL/TLS sets up a encrypted connection between your client and server, making it impossible (unless poorly configured) for an attacker to sniff out data or manipulate the content.

Not using SSL/TLS, allows all sorts of attacks (sniffing session cookies on open wireless networks, injecting packets and manipulating the returned web page etc.)

Erlend
  • 4,336
  • 22
  • 25
1

ASP.Net uses Viewstate on the client side to retain values - which is practically unbreakable. However, any web application passes (posts) data to server via webbrowser which is passed in the chunks of packet data using TCP/IP protocol. This information can be easily monitored using some software to see what data is being transmitted (however, changing this data while being transmitted to server seems very very difficult in real time). SSL simply encrypts the data (say your user name and password you typed in the login box) before browser sends it the server; this data while being transmitted on TCP/IP channels can be monitored but it would be in encrypted format. Thus, secure.

However you can make your application secure by taking care of the points from this links:

President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
DipakRiswadkar
  • 302
  • 2
  • 9
  • You can have free ssl from http://www.startssl.com/ during development or test mode. – DipakRiswadkar Aug 24 '11 at 05:56
  • thanks.If I have a web site with no ssl,what kind of changes should do after get SSL.I mean,are there differences in coding befor and after using SSL? – Arian Aug 24 '11 at 06:06
  • Hi Nima, There is practically no change in coding. However deployment part on IIS is little different. Please refer http://support.microsoft.com/kb/299875 – DipakRiswadkar Aug 25 '11 at 04:33