1

During an MVC Post, I need to ensure that only the data I need is coming through to my method and all other information is ignored, I have found the BindAttribute which works well for Form Posting, e.g.

[HttpPost()]
[Route("name")]
public void GetName([Bind(include:"Name")] NameAddress value)

This only checks for FormBindings, I'd like to check for JSON object bindings, something like this:

[HttpPost()]
[Route("name")]
public void GetName([BindJson(include:"Name")] NameAddress value)

If the following were passed on the Body only the name would be set:

{
    "id": 1,
    "Address": "somewhere",
    "Name": "Peter"
}
Coppermill
  • 6,676
  • 14
  • 67
  • 92
  • Try Using [View Model](https://stackoverflow.com/questions/21578814/how-to-receive-json-as-an-mvc-5-action-method-parameter), Just create ViewModel with required fields. – Shaiju T Apr 08 '19 at 13:58

1 Answers1

0

Create View Model

public UserVM
{

public stirng Name {get;set;} 

}

Use in Action Method

[HttpPost()]
[Route("name")]
public void GetName(UserVM value)
{

string name = value; // Get the Name


}

Check this to post Json data from client side Javascript.

Shaiju T
  • 6,201
  • 20
  • 104
  • 196
  • I should expand a little more about the issue, here is the full security issue: Improperly Controlled Modification of Dynamically-Determined Object Attributes The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. By manipulating the contents of an HTTP request, the attacker may be able to set attributes beyond those intended by the developer. – Coppermill Apr 09 '19 at 12:37
  • Recommendations In .NET, explicitly specify which of the Model's attributes should be accessible using the Bind attribute by setting the Include property to each allowable property. If it is not feasible to use the preferred property Include, instead specify which attributes should not be accessible using the Bind attribute and setting the Exclude property to each prohibited property. – Coppermill Apr 09 '19 at 12:37