ASP.NET WebForms can you manipulate control values client-side to be used on a postback

Question

Sorry for the title, don't know the easiest way to put it.

I am using ASP.NET vb.net with webforms. I have a dropdownlist control on a page. Currently when the selected dropdown changes, it postbacks on a button click and does something with the selected value

I am wondering if it is possible (by a hacker etc), to manipulate the values of the drop down or send their changed values in a web-request so that they can be outside the dropdowns defined options server side.

e.g

Private Sub testbutton_Click(sender As Object, e As EventArgs) Handles testbutton.Click
   Dim test As String = testdropDown.SelectedItem.Value
   testlabel.text = test
End Sub

Can the label be filled with something such as xss, if the selected value is changed outside the defined values by a user.

Or if I was placing that value into a SQL query, and only wanted the options of 1-10, could they change the dropdown value to enter say 25 and have it successfully pass into the query?

Answer 1

Yes it is possible but ASP.NET has in build mechanism to avoid it http://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx . Even if the value is changed on the client side and and it is not matching with the viewstate it will throw you the exception . I think you are safe in case you do not change any default setting. it is not possible to change the values of the dropdown using client side logic it will throw an exception of of corrupt viewstate in .net because of EnableViewStateMac property.

         int val;
         if(int.TryParse(Request.QueryString["val"]),val){
              //now check the range or custom business logic
              if(val > A1 || val < A2)
                   throw new Applicationexception("Out of range");
              //process here

         }else{
            throw new Applicationexception("Some issue");
         }