I have an ASP.NET web form that contains a radio button list. Each radio button has a value associated with it. The radio button list has a validator control to ensure that at least one button is checked.

<input name="Country" value="US" id="CountryUS" type="radio" runat="server" />
<input name="Country" value="Other" id="CountryOther" type="radio" runat="server" />

As I understand it, HTTP converts a radio button into a name/value pair where the name is the name of the radio button and the the value is the associated value (it is NOT true/false).

If the first radio button is checked, the HTTP traffic will be

Country=US

and if the second one is checked, the HTTP traffic will be

Country=Other

Consequently the value is free and clear to be tampered with (e.g. with Paros) almost as easily as the query string can be tampered with.

Country=Other'+DROP+TABLE+Users

Normally on a page you would call page.Validate() to trigger server side validation. In this case however the validation for the radio button is simply a selected index validator. There is no validator that explicitly checks the value.

How do I know the client hasn't tampered with the Value? Is it duplicated in ViewState, and does ASP.NET automatically check it? Or can a hacker put anything they want in there and essentally inject a string into my system (unless I manually validate it in code)?

With a small amount of experimentation I have determined the following:

1. The "Value" of the radio buttons above is indeed passed in the form/post, and can easily be tampered with. In my test app I tampered with the value by setting it with some jquery, but it could just as easily be modified in Paros or with MITM (assuming no encryption).

2. The value that is passed in the form/post is not the same value that is returned by rboControl.Value. In fact the only way to get it is with Request.Form["field name"].

3. The value that is returned from rboControl.Value is always the value in the markup itself. So it is not vulnerable to tampering.

4. The value that is returned from rboControl.Checked appears to be equivalent to the expression (rboControl.Value == Request.Form["Field Name"]). If the value doesn't match any of the controls, none of them return Checked = true.

5. All of the above statements are true whether or not view state is enabled for the control in question.

6. All of the above statements are true regardless of whether you have enabled page event validation.

So to answer my own question, YES, the radio button value is validated via white list on the server side, and this validation happens automatically.

Edit:

Did some more testing of a similar nature but on drop down controls. Same finding. In addition, if you have page event validation enabled, ASP will throw an exception if the form/post value does not match the value of any of the items in the dropdownlist markup (or added programmatically, as persisted in ViewState). Which, to wit, makes it impossible to add additional list items on the client side.