We have an application that uses RadGrid and one of our clients recently performed a penetration test on our application and identified the hidden input _ClientState as a vulnerability because they were able to trigger a buffer overflow error.
Here is the relevant code from the test where ClientState=AAA repeats ...
Is there a way to prevent this from happening? Perhaps some way to set the max length for this hidden input or some other technique that we can utilize to mitigate this vulnerability?
We are using Telerik RadControls for ASP.NET Ajax.
For reference, there is another thread related to this topic (i.e., ClientState hidden field) where my colleague posted a similar question but received no response - http://www.telerik.com/forums/what-is-clientstate-input-hidden-for