without interfering with its structure, and see whether an error message

■

If you can modify the ViewState without causing errors, you should

■

Note that the keyed hash option may be enabled or disabled on a per-

The other principal way in which applications use client-side controls to

restrict data submitted by clients occurs with data that was not originally spec-

ified by the server but was gathered on the client computer itself.

HTML forms are the simplest and most common mechanism for capturing

input from the user and submitting it to the server. In the most basic uses of this

method, users type data into named text fields, which are submitted to the server

as name/value pairs. However, forms can be used in other ways, which are

designed to impose restrictions or perform validation checks on the user-supplied

data. When an application employs these client-side controls as a security mech-

anism, to defend itself against malicious input, the controls can usually be triv-

ially circumvented, leaving the application potentially vulnerable to attack.

Consider the following variation on the original HTML form, which imposes a

maximum length of 3 on the quantity field: