I have an ASP.NET web form that contains a radio button list. Each radio button has a value associated with it. The radio button list has a validator control to ensure that at least one button is checked.
<input name="Country" value="US" id="CountryUS" type="radio" runat="server" />
<input name="Country" value="Other" id="CountryOther" type="radio" runat="server" />
As I understand it, HTTP converts a radio button into a name/value pair where the name is the name of the radio button and the the value is the associated value (it is NOT true/false).
If the first radio button is checked, the HTTP traffic will be
Country=US
and if the second one is checked, the HTTP traffic will be
Country=Other
Consequently the value is free and clear to be tampered with (e.g. with Paros) almost as easily as the query string can be tampered with.
Country=Other'+DROP+TABLE+Users
Normally on a page you would call page.Validate() to trigger server side validation. In this case however the validation for the radio button is simply a selected index validator. There is no validator that explicitly checks the value.
How do I know the client hasn't tampered with the Value? Is it duplicated in ViewState, and does ASP.NET automatically check it? Or can a hacker put anything they want in there and essentally inject a string into my system (unless I manually validate it in code)?