Can the EVENTVALIDATION field be tampered with?

Question

Is it possible to decode, and thus tamper with, the rendered _EVENTVALIDATION field? I found a lot of information about what it DOES, but couldn't find anything that actually says whether or not the value itself is protected against tampering. I did attempt to base64 decode it and got gibberish back, so I'm assuming that it is in fact encrypted, but if someone knows for sure and can verify that, that would be awesome.

I do know that Viewstate is not encrypted (although you can set it to be). I'm not as interested in that, I'm just interested in eventvalidation.

I found a similar question: Is it possible to decode EventValidation and ViewState in ASP.NET? but no one seemed to have a specific answer regarding the event validation field.

Concrete example: I have a dropdown of available reports that the user can run. It's populated with some "members" reports but also some "Admin only" reports which are rendered during OnLoad, and only adds them if the user is an Admin. When the page posts back, can I trust the event validation routine to be secure and that the user has not injected an "admin only" report into the list of acceptable values, or should I re-check permissions in my postback handler to verify the user can actually use the report that was selected?

Answer 1

First, event validation is a backstop protection against XSRF, not against malicious users.

If you want to make sure they can only run the reports they are permitted to run, then check they are permitted to run the report at the point you run it.

Secondly, the event validation data is encrypted and has a MAC. It should be very hard to tamper with. But relying on it is not the right way to solve to your problem.

Answer 2

If you havn't turned off the native injection protection settings then if anyone try's to edit the controls list of values and post it back it will cause an error.