It sends:
- URL
- various info (like browser used)
- form fields
- view state
There are plenty of tools around that can sniff both request and
response. If you use one you would be able to check.
Example.
Simple page:
<html>
<head>
<title>Form demo</title>
<script language="C#" runat="server">
void Page_Load(Object sender, EventArgs e)
{
if(!IsPostBack)
{
tb.Text = "";
}
}
void btn_Click(object sender, EventArgs e)
{
}
</script>
</head>
<body>
<form runat="server">
Some text: <asp:textbox id="tb" runat="server"/>
<br>
<asp:button id="btn" text="Submit" onclick="btn_Click" runat="server"/>
</form>
</body>
</html>
First GET request:
GET /formdemo.aspx HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Second POST request:
POST /formdemo.aspx HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer:
http://localhost:8080/formdemo.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
__VIEWSTATE=%2FwEPDwUJNjk3ODAzNzMzZGTGgdCdhujGcPRe8naUKHrXap8fHQ%3D%3D&__EVENTVALIDATION=%2FwEWAwKFt8r5AgLM76LvDAKSoqqWDyB3Vl2DgjYPcVJeTUbyzaBocTIP&tb=ABC&btn=Submit
Arne
