10888

Can user hack values in action parameter?

Question:

Example:

I have table Orders and table OrderPositions.

public partial class Orders { public Orders() { this.OrderPositions = new HashSet<OrderPositions>(); } public int OrderId { get; set; } public string Title { get; set; } public virtual ICollection<OrderPositions> OrderPositions { get; set; } } public partial class OrderPositions { public int OrderPositionId { get; set; } public int OrderId { get; set; } public string Name { get; set; } public virtual Orders Orders { get; set; } }

On the view user <strong>can modify single record from OrderPositions</strong> table. In controller:

[HttpPost] public ActionResult Edit(OrderPositions orderPosition) { // save orderPosition }

So parameter orderPosition.Orders should be = null because on the form in view user can modify only order position. But can user hack it? I mean that in parameter orderPosition.Orders won't be null and I update record not only in table OrderPositions but also in table Orders? Or ASP.NET MVC prevent from that situation?

Answer1:

It really depends on what you do here

[HttpPost] public ActionResult Edit(OrderPositions orderPosition) { // save orderPosition }

If you're saving the whole entity then yes there is nothing stopping a user passing over addition entity properties. There are a few ways to prevent this though, here are a couple...

<strong>1.Create a new entity at the point of saving</strong>

[HttpPost] public ActionResult Edit(OrderPositions orderPosition) { if(ModelState.IsValid) { var order = new OrderPositions { OrderPositionId = orderPosition.OrderPositionId, OrderId = orderPosition.OrderId, Name = orderPosition.Name }; //Then save this new entity } }

<strong>2.Create a Model specific to the entity's action</strong>

public class EditOrderPosition { [Required] public int PositionId { get; set; } [Required] public int Id { get; set; } [Required] public string Name { get; set; } } [HttpPost] public ActionResult Edit(EditOrderPosition model) { if(ModelState.IsValid) { var order = new OrderPositions { OrderPositionId = model.PositionId, OrderId = model.Id, Name = model.Name }; //Then save this new entity } }

I generally go with the 2nd method as it stops direct user involvement with my entities. As a rule of thumb I never use entity objects as parameters in controller actions.

Hope this helps

Answer2:

Yes they can. This is one reason I do not expose my entities as a parameter to action methods, instead I use DTOs that only have the properties that I expect.

This is an example of the <a href="http://odetocode.com/blogs/scott/archive/2012/03/12/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx" rel="nofollow">Mass Assignment Vulnerability</a>.

Answer3:

Yes, there is nothing preventing a rogue app calling your endpoint with arbitrary data. Always validate everything serverside.

Recommend

  • Reload MVC2 user control with jQuery
  • How does ASP.NET get line numbers in it's generic error handler
  • The ViewData item that has the key 'MaritalStatus' is of type 'System.String' bu
  • The model item passed into the dictionary is of type A, but this dictionary requires a model item of
  • crash in __tcf_0
  • Get a trait object reference from a vector
  • LESS CSS how to modify parent property in mixin
  • Passing variable arguments using PowerShell's Start-Process cmdlet
  • CSS bleed-through with cfinput type=“datefield”
  • Cannot get the UserManager class
  • Android changing fragment order inside FragmentPagerAdapter
  • Unable to decode certificate at client new X509Certificate2()
  • Needing to do .toArray() to get output of mongodb .find() on key name not value
  • Blackberry - Custom EditField Cursor
  • Breeze - Deleted Items nav properties bug
  • Django: Count of Group Elements
  • Body moving without any force applied? (Box2d)
  • Fetching methods from BroadcastReceiver to update UI
  • Why HTML5 Canvas with a larger size stretch a drawn line?
  • javaw.exe and eclipse startup problems
  • Bug in WPF DataGrid
  • Symfony2: How to get request parameter
  • ORA-29908: missing primary invocation for ancillary operator
  • jQuery tmpl and DataLink beta
  • GridView Sorting works once only
  • retrieve vertices with no linked edge in arangodb
  • using conditional logic : check if record exists; if it does, update it, if not, create it
  • Linker errors when using intrinsic function via function pointer
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • SQL merge duplicate rows and join values that are different
  • Rails 2: use form_for to build a form covering multiple objects of the same class
  • WPF Applying a trigger on binding failure
  • Proper way to use connect-multiparty with express.js?
  • How to set the response of a form post action to a iframe source?
  • Understanding cpu registers
  • need help with bizarre java.net.HttpURLConnection behavior
  • Android Google Maps API OnLocationChanged only called once
  • LevelDB C iterator
  • Add sale price programmatically to product variations
  • How can i traverse a binary tree from right to left in java?