Why do I get "Invalid postback or callback argument" Errors?

Introduction:

This is the first post of mine so thought of starting with a simple but tricky issue which I came across in few support incidents I have handled. I had a scenario where one of my customers was getting an error message like -

Invalid Postback or callback argument . Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to Postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the Postback or callback data for validation.

Many of us get this error message often, either in the event viewer or on the page itself. But what does it signify? When does it come up? What we can do to eliminate this exception due to coding mistakes?

What does it signify?

In ASP.NET 2.0 we have added a feature called event validation. Event validation checks the incoming POST request to ensure that the event causing the Postback / callback is valid and the event which triggered the Postback /callback is expected by the Runtime. If the runtime finds a Postback / callback by an event which is not registered for validation, it throws an exception. This has been added in ASP.NET 2.0 explicitly to prevent the attack to the application by spoofing a Postback. Event validation can help prevent injection attacks from malicious users who are trying to POST data by an event which does not come up from the controls registered to the page.

You can enable or disable this feature by simply setting up Property EnableEventValidation = true in the web.config or on the page level. By default it is enabled. You can find more information about this property in the MSDN link.

So this is about all the “good” which event validation signifies. Agreed that this is a very good security feature which helps preventing script injection attacks but if it is coming during the normal execution of an application, the exception is not expected and does not hold “good” anymore. That is where we need to troubleshoot and find out the problem area.

When does it come up? What we can do to eliminate this exception due coding mistakes?

As I have already spoken about the script injection attack can cause this exception, we should not bother about why it is coming up. Rather in that case we can track down the client who is trying to inject the attack and take appropriate action. So I will rather focus upon the scenarios when it comes up due some coding mistakes.

These mistakes are many in number so I would rather cover just a couple of them in this Post:

1. You have migrated an ASP.NET application from version 1.1 to version 2.0. In 1.1 we had to manipulate the "Select" button column for selecting the record and we normally set the visible property of this button column to FALSE.

The button column has "LinkButton" /”Button” for selecting records and we manually do a Postback using the __dopostback() method.

Agreed that the "LinkButton" /”Button” should register this method for event validation by internally calling the ClientScript.RegisterForEventValidation(). But with the “Visible” property set to FALSE, the control is not rendered and therefore control is not registered for EventValidation by ASP.NET 2.0. However, the DataGrid still utilizes this event. Since the event is not registered, it results in the above error.

In this scenario manually registering the client script for each DataGrid rows will help.

You can simply loop through the rows as mentioned in below code.

protected override void Render(HtmlTextWriter writer)

{

foreach (DataGridItem row in DataGrid1.Items)

ClientScript.RegisterForEventValidation(row.UniqueID.ToString() +":_ctl0");

base.Render(writer);

}

So this signifies that if you are not rendering the control then it is not registered for the validation internally. You need to do that manually using the RegisterForEventValidation function.

2. You have an ASP.NET 2.0 application which has a page with a lot of Javacript adding dynamic controls. On the POST of this particular page you will get the above mentioned exception for Invalid Postback or callback argument. This happens if Javascript is adding a FORM tag as well as adding dynamic controls resulting in the nested form Tags.

This can be reproduced quite easily as well –

In Default.aspx have the below code -

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs"

Inherits="_Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="https://www.w3.org/1999/xhtml" >

<head runat="server">

<title>Untitled Page</title>

</head>

<body>

<form id="form1" runat="server">

<div>

<asp:Button ID="Button1" runat="server" Text="Button" />

<form></form>

</div>

</form>

</body>

</html>

So this signifies that if you have nested form tags the above mentioned error message will come up.

So with these two scenarios I will stop at this point. I hope this first post of mine might help you and happy reading.