Skip to main content

Asp.net mvc model binding security.

One of the thing that makes asp.net.mvc so interesting is default model binding. Model binding in simple words allows you to take the posted form data from the view and bind it to the action method's parameter in the controller without any fuss. But there is a security flaw in model binding which everyone using asp.net mvc should know .The problem is, in asp.net mvc controller you cannot be sure what you got as the posted value from the view because it is absolutely possible that an extra property, or an overwritten property which you don't want get passed to the controller which could spell disaster. And in the controller if the property matches the orginal property then the things could get out of hand.

Here's a simple scenario to understand more what I have defined. A person filling a create user form to become the member of the website requiring some payment in the process passed an Isenabled=true property (which we all have) and unfortunately there is a match in the model at the controller and you haven't defined any whitelist properties (which are included at the controller) or any black listed properties which (which we excluded at the controller) then the user will automatically become active. The cycle which was to be followed was that the moderator after viewing if everything was right and the payment is successfully accepted was going to enable him. So there is a voilation of that cycle.


Tools

You can create the scenario by using firebug.

Solution

By using Include or Exclude in the Bind Attribute class we can lock the properties that are allowed in the model.
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult CreateUser([Bind(Include="UserName, Password,ConfirmPassword EmailAddress")] UserView User)
If there are large quantity of fields you have the option to use exclude to restrict the properties.
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult CreateUser([Bind(Exclude="IsEnabled")] UserView User)
Other option
   [Bind(Exclude="GroupID")]
    public class Group
    { 
        [Key]
        public int GroupID { get; set; }

        [Required]
        [Display(Name = "Group Name")]
        [StringLength(50)]
        public string GroupName { get; set; }
        [ScaffoldColumn(false)]
        public DateTime? CreatedDate { get; set; }
        [ScaffoldColumn(false)]
        public DateTime? ModifiedDate { get; set; }
    }

Comments

Popular posts from this blog

Asp.net mvc razor render partial view using ajax helper

This is the extension to my blog in which I demonstrated rendering of the partial view using jquery Ajax . I want to demonstrate here yet another way by which partial view can be rendered without page refresh. Here is the implementation. Step 1: I will again be using DisplayData class in my demo. Here is it. public class DisplayData { public int ID { get; set; } public DisplayData(int ID) { this.ID = ID; } } Step 2: Create a PartialDemo page @model IEnumerable<MvcApplication5.Models.DisplayData> @{ ViewBag.Title = "PartialDemo"; } @Ajax.ActionLink("Click 1", "PartialDemo", "PartialDemo", new {Data= "1" }, new AjaxOptions { UpdateTargetId = "rsvpmsg" }) @Ajax.ActionLink("Click 2", "PartialDemo", "PartialDemo", new {Data= "2" }, new AjaxOptions { UpdateTargetId = "rsvpmsg" }) <div id="rsvpms

Asp.net mvc razor render partial view using jquery Ajax

I will going to demonstrate how we can render PartialViews using Jquery Ajax. I will be clicking an a href link ,then I will be calling the controller through jquery Ajax which will fill the partialview for a really nice user experience. Step 1: First of all we will be creating an DisplayData class for the use for this example in the model. public class DisplayData { public int ID { get; set; } public DisplayData(int ID) { this.ID = ID; } } Step 2: We will create a Clicks page and write the following code on it. Specially note empty here which will going to empty and then fill partialview with new records. $(document).ready(function () { $('.msg').click(function () { var id = this.id; $.ajax({ url: "/Category/Display", data: { data: id }, success: function (mydata) { $("#link").empty().appe

Asp.net mvc DataAnnotation ValidateAttribute two properties comparison.

Using Datannotion is great but there are scenarious in which the current attributes compare, range etc becomes inadequate especially for the comparisions. So we create here our own custom validation using ValidationAttribute class which is the base class for all the annotation attributes. So by deriving from it and overriding the Isvalid method we can create our custom attribute for the model. So here is the scenario in which I will be validating the Username against the password which should not be equal. Compare attribute cannot be used in this scenario so I have created a custom attribute for that. Here is the model with the attribute. User View Model [CompareUserPass("UserName", "Password", ErrorMessage = "UserName and password cannot be equal")] public class UserView { [Required(ErrorMessage = "UserName Required")] public string UserName { get; set; } [Required(