3

A recent MVC3 project of mine has been hacked by my lecturer and he won't tell me exactly how he did it until he makes a presentation to the class in a few weeks. I however cannot wait this long.

My question is, is there a way to intercept the data being sent from a View to a Controllers POST method? If so what is this method known as and how can I stop it?

FOR EXAMPLE:

A registration page that Posts a User object to the database. User object has a boolean Admin which is auto set to false. Hacker intercepts Post and changes value of Users Admin attribute to true.

Any help would be great.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
doreye01
  • 490
  • 4
  • 11
  • 1
    Can you post your controller action and UserModel please? – Bryan A Feb 05 '13 at 15:35
  • 2
    You say he "hacked" your site. Can you be more specific about what was actually done? I would guess he either used brute-force or Cross-Site Scripting. – Robert Feb 05 '13 at 15:36
  • 2
    Anything a post method can accept can be sent to it. Thus, anyone can post a new user with admin set to true. You need to manually set admin to false within your post method except for the specific cases where you want to allow it to be true. – Aaron Hawkins Feb 05 '13 at 15:45

2 Answers2

5

There's nothing special or protected about a request made to a controller (or any HTTP handler). It's just a string of name/value pairs which can be altered at will. Look at Request.Form in the immediate window of your Visual Studio debugger.

You can tamper with form data using a tool like the Firefox Tamper Data plugin. It's trivial to modify even without a tool using a few lines of code. You don't even need a web browser to do so.

My guess is your lecturer simply altered the POST from IsAdmin=false to IsAdmin=true

So how can we prevent this?

  • Validate all inputs. The POST/view model says IsAdmin=true? Okay, does the caller have the rights to make that assignment?

  • Create view models which don't expose the properties you don't want to be altered. Even if a property isn't displayed on a page, the ModelBinder will bind it if it is in the request. This means that even if you didn't put an IsAdmin checkbox on the page it can be set if the view model contains an IsAdmin property.

  • You can selectively mark properties of your model as not bindable, but I usually don't recommend this; it's too easy to forget.

See also: ASP.NET MVC - Alternative for [Bind(Exclude = "Id")]

Community
  • 1
  • 1
Tim M.
  • 53,671
  • 14
  • 120
  • 163
0

What Aaron said. Nothing can be trusted. Everything must be checked. If the only determining factor of "admin" is a boolean value that's passed in, you'll need more security, such as tokens or something that can be double checked in the database when you are updating/checking data.

Mark S
  • 869
  • 6
  • 11