Introduction
One of my client servers was attacked by an 'One-Click Attack'. Do you know what an one-click attack is? I don’t want to annoy you with a long description of it,
so I will make it short! An one-click attack is when a hacker creates HTML that includes a form and a link which, when clicked, submits the form
to the server being attacked. The hacker use it to then spam the target site.
Solution
In one-click attacks they use third parties. Like emails with content that looks familiar like: "click here to claim your prize". You can set the ViewStateUserKey
property on your pages and it will be stored in ViewState. If the page is postback, the runtime checks the ViewState to make sure it’s equal to the current
ViewStateUserKey.
Here is an example of a code that can solve your problem:
protected void Page_Init(object sender, EventArgs e)
{
this.ViewStateUserKey = Request.UserHostAddress;
}
And now attackers can’t copy your hidden field and use it in an one-click attack!
