 |
Recent
Articles |
Making Your ASP.NET App Extendable
People have asked me how we build the extension model into BlogEngine.NET. There's nothing to it - really, there isn't. You need one small class and 14 lines of code in the global.asax. That is all you need to make...
Localizing ASP.NET (Which Is Best?)
There are different approaches to localizing an ASP.NET application. You can use a global resource file or local ones. The local resource files only applies to a single page or user control, whereas the global can be...
ASP.NET Security: Remove The X-AspNet-Version...
I've always been a little annoyed by the fact that ASP.NET websites sends the version number as a HTTP header. For an ASP.NET 2.0 application this is added automatically to the headers and you cannot remove it from code.
ASP.NET: Don't Use The ThreadPool
I've always been a big fan of using the ThreadPool for asynchronous execution, but in ASP.NET it is not the best approach for multi-threading. I'm not writing about when threading is appropriate and the impact of multi-core or dual core machines when doing threading, but...
Top Application Security Vulnerabilities In...
Some of the most common and dangerous application security vulnerabilities that exist in ASP.NET Web-based applications come not from the C# or VB.NET code that make up its pages and service methods, but...
|
|
 |
|
08.24.07
Invalid Postback Or Callback Argument
 By
Mads Kristensen
I've hooked a health provider up in my web.config to send me all unhandled exceptions by e-mail. See here how to do that - you just have to put some lines in the web.config.
Well, I get all sorts of different exceptions but one I get more than 20 times a day. It's actually rear that I get anything else than this one particular unhandled exception.
It looks like this:
Exception type: System.ArgumentException
Exception message: Invalid postback or callback argument. Event validation is enabled using in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
Am I an idiot?
Now you might think that I'm an idiot that I didn't do anything about it months ago, but hold on a minute. It says that a postback is invalid because event validation is turned on. It's turned on by default in ASP.NET so that's no big surprise. No my dear reader, this is not an error I would like to remove by disabling the event validation, because this error is in fact caused by spam bots trying to spam my comments.
They all fail in doing so, because event validation is enabled and thus throwing this exception every time they try. Did I mention to say that event validation is turned on by default and is a native feature of ASP.NET? That means that all ASP.NET application has a natural spam bot protection system build right into it by default. How cool is that?
Maybe this example will convince those of you who didn't believe me in the last post I did about ASP.NET security and unnecessary CAPTCHAS.
Update 30 minutes later: I've just received 25 more mails in half an hour. Maybe the bots read my post and didn't believe me either.
Comments
About the Author:
Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.
http://www.madskristensen.dk/
|
