09-11-2019, 07:09 PM
Ok I understand how it should work now. Thank you. That being said I think I finally figured out how we failed our penetration test for a CSRF attack. It appears that the IWAppFormCheckFormId event only fires on the 2nd "post" attempt not the 1st. I proved it using an IntraWeb IV demo. Open the "Features" demo project for IntraWeb IV from the GitHub website. In ServerController set the CheckFormId value to True. On the Combobox form add the OnCheckFormId event and put some code in there so you can set a breakpoint inside the event. I ran the project in debug mode, selected Base features from the menu and then Miscelleaneous which displays the Combobox form. Change the value in the combo box from "No Selection" to some value. The cmboNumbersChange event fires, however the IWAppFormCheckFormId event does not ! If you immediately change the combo box value again to a different value the IWAppFormCheckFormId will finally fire. Why didn't it fire the first time I changed the combo value? This is why our testers were able to successfully submit a post with an invalid form Id. Shouldn't the IWAppFormCheckFormId fire on the first "post" ? Please explain.