Message: Invalid postback or callback argument. Event validation is enabled using
Many of us get this error message often, either in the event viewer or on the page itself. But what does it signify? When does it come up? What we can do to eliminate this exception due to coding mistakes?
What does it signify?
In
ASP.NET 2.0 we have added a feature called event validation. Event
validation checks the incoming POST request to ensure that the event
causing the Postback / callback is valid and the event which triggered
the Postback /callback is expected by the Runtime. If the runtime finds a
Postback / callback by an event which is not registered for validation,
it throws an exception. This
has been added in ASP.NET 2.0 explicitly to prevent the attack to the
application by spoofing a Postback. Event validation can help prevent injection attacks from malicious users who are trying to POST data by an event which does not come up from the controls registered to the page.
You
can enable or disable this feature by simply setting up Property
EnableEventValidation = true in the web.config or on the page level. By
default it is enabled. You can find more information about this property
in the MSDN link.
So
this is about all the “good” which event validation signifies. Agreed
that this is a very good security feature which helps preventing script
injection attacks but if it is coming during the normal execution of an
application, the exception is not expected and does not hold “good”
anymore. That is where we need to troubleshoot and find out the problem
area.
When does it come up? What we can do to eliminate this exception due coding mistakes?
As
I have already spoken about the script injection attack can cause this
exception, we should not bother about why it is coming up. Rather in
that case we can track down the client who is trying to inject the
attack and take appropriate action. So I will rather focus upon the
scenarios when it comes up due some coding mistakes.
These mistakes are many in number so I would rather cover just a couple of them in this Post:
1. You
have migrated an ASP.NET application from version 1.1 to version 2.0.
In 1.1 we had to manipulate the "Select" button column for selecting the
record and we normally set the visible property of this button column
to FALSE.
The
button column has "LinkButton" /”Button” for selecting records and we
manually do a Postback using the __dopostback() method.
Agreed
that the "LinkButton" /”Button” should register this method for event
validation by internally calling the
ClientScript.RegisterForEventValidation(). But with the “Visible”
property set to FALSE, the control is not rendered and therefore control
is not registered for EventValidation by ASP.NET 2.0. However, the
DataGrid still utilizes this event. Since the event is not registered,
it results in the above error.
In this scenario manually registering the client script for each DataGrid rows will help.
You can simply loop through the rows as mentioned in below code.
protected override void Render(HtmlTextWriter writer)
{
foreach (DataGridItem row in DataGrid1.Items)
ClientScript.RegisterForEventValidation(row.UniqueID.ToString() +":_ctl0");
base.Render(writer);
}
So
this signifies that if you are not rendering the control then it is not
registered for the validation internally. You need to do that manually
using the RegisterForEventValidation function.
2. You
have an ASP.NET 2.0 application which has a page with a lot of
Javacript adding dynamic controls. On the POST of this particular page
you will get the above mentioned exception for Invalid Postback or
callback argument. This happens if Javascript is adding a FORM tag as
well as adding dynamic controls resulting in the nested form Tags.
This can be reproduced quite easily as well –
In Default.aspx have the below code -
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs"
Inherits="_Default" %>
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
So this signifies that if you have nested form tags the above mentioned error message will come up.
So with these two scenarios I will stop at this point. I hope this first post of mine might help you and happy reading.
Do not do the following - Security RISK
Resolution no 1:
1) Go to Web.config file and add the following in your pages/configuration section.
Add
EnableEventValidation="false" to your aspx pages on the tag with Pages.Resolution no 2:
Add following exception per page as follow, on the aspx page top add:
Example:
<%@ Page EnableEventValidation="false" %> or <%@ Page EnableEventValidation="false" Title="" Language="vb" AutoEventWireup="false" MasterPageFile="~/Master/Admin.Master" CodeBehind="default.aspx.vb" Inherits="ERP._default1" %>
Questions: ASP.NET - IIS Troubleshooting