Introduction
One of my client servers was attacked by an 'One-Click Attack'. Do you know what an one-click attack is? I don’t want to annoy you with a long description of it,
so I will make it short! An one-click attack is when a hacker creates HTML that includes a form and a link which, when clicked, submits the form
to the server being attacked. The hacker use it to then spam the target site.
Solution
In one-click attacks they use third parties. Like emails with content that looks familiar like: "click here to claim your prize". You can set the ViewStateUserKey
property on your pages and it will be stored in ViewState. If the page is postback, the runtime checks the ViewState to make sure it’s equal to the current
ViewStateUserKey
.
Here is an example of a code that can solve your problem:
protected void Page_Init(object sender, EventArgs e)
{
this.ViewStateUserKey = Request.UserHostAddress;
}
And now attackers can’t copy your hidden field and use it in an one-click attack!
Taha has started programming at the age of 16 and he has taken an avid interest in Microsoft technologies. He professionally works on ASP.NET and C#. Mainly, He lives for getting the world into codes and follows this aspiration in a third world country with lack of facility and support. He never gives up seeking success and competence.