0

I have to secure my HTML helpers like textboxfor in MVC in a way if user inspects or f12 and change the value I should take the original value or prompt with an error. Is there any way to achieve it except disabling f12 or inspect option through some jquery and keep my value in some storage in the controller level and get again after posting.

I understand these ways around but I want to secure Html Helpers at the Razor level maybe through some custom HTML helper? please suggest .

example: 

<div class="form-group">
@Html.TextBoxFor(x => x.PersonNameAr, new { @class = "form-control", @readyonly="readyonly"}) OR
@Html.TextBoxFor(x => x.PersonNameAr, new { @class = "form-control", @disabled="disabled"})
Mike Brind
  • 28,238
  • 6
  • 56
  • 88
Mazhar Hayat
  • 73
  • 1
  • 9
  • 1
    If it's visible in source code in the browser, it is not secure. If you don't want users being able to change these value, don't present them. And use a ViewModel to prevent overposting. – Mike Brind Sep 17 '19 at 20:36

1 Answers1

1

As a developer who wants to make a secure website, you have to pay attention to some details:

  • If there is something that user is not eligible to see, even if it's in cookie, session, or hidden input, so don't leak it to them.

  • You can't prevent user to access it's own computer abilities. Google chrome or any other softwares that installed in user's computer is not what you should be able to access it and change it's properties without official permission from user, if you do it, you've hacked users software.

  • If there is some data that is important to you, and you have to access it from your front-end, and user is not eligible to access it, you have to save it somewhere that user does not have access to it; somewhere like your database table. But HTML tags, cookies, sessionStorage, localStorage,... . These are not good places to save important data, these are the best place to save weak data that not affect your site's functionality.

there is a endless list of attentions to say, but for now that's enough.

If you want to prevent user from overposting data there are multiple ways to do so:

  1. Bind Attribute. You can use Bind attribute in your controller's action to include or exclude some kind of data that user can't pass to your action as model properties.

imagine you have User model as below:

public class User
{
    public int UserId { get; set; }
    public string UserName { get; set; }
    public string FirstName { get; set; }
    public string LastName { get; set; }
    public bool IsActive { get; set; }
}

and this is your Edit action:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(User user)
{
    //save expense to database
}

And you don't want user to be able to change IsActive property.

if you leave your action like above, any clever user can add extra property to the form and post it to action. But using Bind method like below you can prevent this kind of attack:

public ActionResult Edit([Bind(Include = "UserName", Exclude = "IsActive")]User user)
{

}

  1. You can use ViewModel. Using ViewModel for each view helps you keep things simple and don't loose a point even if you accidentally forgot to use Bind attribute. In this case you can request or retrieve specific properties, and not even prevent attacks, but saving some memory.

  2. Server side checking. In the post methods you can check your input explicitly to make sure user input does not damage your program.

  • I understand all these preventions. but what I am asking that is there anything, I can see the values of the disabled control at the backend if changed and then I can prompt the user. except for the way I compare the old and new value – Mazhar Hayat Sep 18 '19 at 04:33
  • You could track the DOM changes and collect changed data using javascript, jQuery,... and then send them back to your server and do whatever you want. Take a look at [this](https://stackoverflow.com/questions/959670/generic-way-to-detect-if-html-form-is-edited) –  Sep 18 '19 at 11:43