Clever Geek Handbook

Catching ASP NET MVC POST values

A recent MVC3 project of mine was hacked by my instructor and he won't tell me how he did it until he does a class presentation a few weeks later. I, however, cannot wait long.

My question is, is there a way to intercept the data sent using the View to Controllers POST method? If so, how is this method known and how to stop it?

FOR EXAMPLE:

A registration page that submits a User object to the database. The custom object has a boolean Admin, which is automatically set to false. Hacker intercepts Post and changes the value of the Admin attribute for the user to true.

Any help would be great.

+3


source to share


2 answers


Nothing fancy or secure from a request made to a controller (or any HTTP handler). It is just a string of name / value pairs that can be changed as desired. Look Request.Form

in the immediate Visual Studio debugger window.

You can tamper with form data using a tool like the Firefox Tamper Data plugin . It's trivial to change, even without a tool, using a few lines of code. You don't even need a web browser to do this.

My guess is your lecturer just changed the POST from IsAdmin=false

toIsAdmin=true



So how can we prevent this?

  • Check all inputs . POST / view model says IsAdmin = true? Okay, does the caller have permission to do this job?

  • Create view models that do not display properties that you do not want to change. Even if the property does not appear on the page, ModelBinder will bind it if it is in the request. This means that even if you have not set the page IsAdmin

    on it, it can be set if the view model contains the IsAdmin property.

  • You can selectively mark properties of your model as unrelated, but I generally don't recommend that; it's too easy to forget.

See also: ASP.NET MVC - Alternative for [Bind (Exclude = "Identity")]

+3


source


What Aaron said. Nothing can be trusted. Everything needs to be checked. If the only determining factor for "admin" is the boolean that passed, then you need additional security like tokens or something that can be double checked against the database when updating / validating the data.



0


source






More articles:


All Articles