2

I have a model named 'User' having fields 'UserId, Username, Status', In index page i am enlisting all users along with edit , delete functionality. Here is my code

@foreach (var item in Model)
{
   <table>
     <tr>
       <td>@Html.DisplayFor(modelItem => item.Username)</td>
       <td>@Html.DisplayFor(modelItem => item.Status)</td>
       <td><input type='button' id='btnEdit' data-id='@item.UserId' value='Edit'/></td>
     </tr>
   </table>
}

It is rendered as 

   <table>
     <tr>
       <td>USER ONE</td>
       <td>active</td>
       <td><input type='button' id='btnEdit' data-id='1041' value='Edit'/></td>
     </tr>
     <tr>
       <td>USER TWO</td>
       <td>active</td>
       <td><input type='button' id='btnEdit' data-id='1042' value='Edit'/></td>
     </tr>
   </table>

And upon clicking btnEdit, i user jQuery ajax call to controller like this:

$("#btnEdit").on("click", function () {
    $.ajax({
        cache: false,
        type: "POST",
        url: "/User/Edit",
        data: $(this).data('id'),
        success: function (response) {
            //rest of code here
        }
    });
});

QUESTION:

How to make UserId hidden and call it from jquery against selected row, so that no one can change from browser using inspect element

tango
  • 80
  • 2
  • 11
  • You cannot 'hide' it. What would be the problem with a malicious user changing it anyway? –  Sep 18 '15 at 06:52
  • use form with Antiforgerytoken to disrespect any such malicious requests – Vinay Pratap Singh Bhadauria Sep 18 '15 at 06:55
  • @StephenMuecke: Sir it is authorization based, so not all users can see everyother listed user, if UserId is open to him, he can tamper it from browser and exploit system functionality. – tango Sep 18 '15 at 07:02
  • 3
    You must **always** validate on the server. If the user posts back an ID which is associated with the resource which they should not have access to then throw an error –  Sep 18 '15 at 07:03
  • @StephenMuecke: Sir it means i have to write a full security mechanism to validate every activity at server side since 'User' is only one Model, i have other models too which needs to be protected from tampering. – tango Sep 18 '15 at 07:17
  • 1
    Yes you must _write a full security mechanism to validate every activity at server side_ if you want to secure your site. –  Sep 18 '15 at 07:19
  • @StephenMuecke: Sir what does facebook or other big companies do to avoid tampering not only with users but also facebook posts, comments, pages, groups. – tango Sep 18 '15 at 07:20
  • You will have to ask them:) –  Sep 18 '15 at 07:22

2 Answers2

0

For future readers, I wanted to mark this question as solved, thanks Stephen Muecke, Vinay Singh, Zoran for their valuable time and guidance.

Here are the steps what i did to make my site less vulnerable.

  1. Used form with Antiforgerytoken to disrespect any such malicious requests. (as suggested by Vinay Singh)

  2. Encrypted / Decrypted my ids so that atleast normal end user cannot play with them by changing their value. (as suggested by Zoran)

  3. Most importantly to prevent from bad end user, i am validating each request at server side, whether or not current user is authorized to make this request etc. (as suggested by Sir Stephen Muecke)

tango
  • 80
  • 2
  • 11
-1

If you need to call it from jQuery it means it is available on client side, which means it is available to visitor's browser, which means he is able to change it.

If you needed it on the Code side only, you could use Session, but there is no way for you to hide something which is on the client side.

For the same issue I used this: Simple insecure two-way "obfuscation" for C#

Community
  • 1
  • 1
Zoran P.
  • 870
  • 1
  • 13
  • 16
  • P: Sir the only intention of using jquery ajax is to make call seemless, if their is any other possibility of seemless call without compromising Data Integrity, i would love to use it, please guide – tango Sep 18 '15 at 07:03
  • Considering from comments above your best bet and easiest way to make this is to simply obfuscate the UserId by encrpyting it. And then sending the encrypted value back to the server who can decrypt it. If you do this properly, noone will be able to access other user's. – Zoran P. Sep 18 '15 at 07:32
  • Sir you mean i use these functions: string EncodeTo64(string normal_Id) and string DecodeFrom64(string encrypted_Id) – tango Sep 18 '15 at 07:50
  • @tango, Using encrypted values is nonsense. The value will still be visible, so a malicious user can just post back the encrypted value. It makes no difference whether the users sees `data-id='1042'` or `data-id='X^KY#$iw'` - its still visible –  Sep 18 '15 at 08:02
  • @Stephen proper encryption is done with the secret key that only you (and server side code) know. How will a malicious user be able to just post proper encrypted value? – Zoran P. Sep 18 '15 at 08:44
  • OP is generating the value in the html (as a `data-id`) attribute! If a malicious user could have posted back the the actual value of the ID (say `1042`) because it was visible, then they can post back the encrypted value (because its visible) and it will be decrypted on the server –  Sep 18 '15 at 08:48
  • 1
    Value is not generated in the html. data-id='@item.UserId' it can as easily be data-id=@item.EncUserId And the malicious user CAN post what he thinks is a valid encrypted value, but how can he know what is valid if he doesn't know secret key? – Zoran P. Sep 18 '15 at 08:57