0

I have a .NET Core 3.1 Web API and have multiple controllers and actions. I am using some models in my actions to receive data from request payload (as JSON). I need to verify each JSON input parameter keys with the model in order to prevent parameter tampering.

[HttpPost]
public JsonResult GetData(SelectnObject obj)
{               
    return Ok(JsonConvert.SerializeObject(output));
}

My model is like

public class SelectnObject
{
    public string id { get; set; }
    public string name { get; set; }
}

Here I need to validate 2 things

  1. Validate JSON structure, for example bellow one also valid (duplicated property keys)

    {
   "id": "id1",
   "id": "id2",
   "name": "name1"
}

    For this I got a solution from How to validate json request body as valid json in asp.net core (but here I need a combined solution for the bellow issue also)

  2. Validate all keys before get in to actions (to avoid parameter tampering) - here my input request (SelectnObject) should only contain the valid keys in the model (like id and name). If the request has any modified key, I should not allow to get in to the action. For example

    {
    "idTmp": "id1",
    "name": "name1"
}

    The above request should through some exception because it is altered from 3rd party. Here I want some global configuration for both issues because I have so many actions and controllers.

Can we achieve both in a single custom filter configuration in the API?

user3501613
  • 596
  • 7
  • 28
  • 2
    Which JSON parser you used? – MichaelMao Dec 28 '20 at 11:16
  • Have you considered using anti forgery tokens? – mjwills Dec 28 '20 at 11:49
  • @MichaelMao : Newtonsoft.Json – user3501613 Dec 28 '20 at 12:03
  • 1
    In an existing property or a new property (if it is a new property - no problem, the JSON parser will ignore it anyway)? Plus, who cares if they do add that script tag? HTML encoding will fix that for you if needed. – mjwills Dec 28 '20 at 12:09
  • this html encoding we need to add in api side also ???, because currently they are making request from some 3rd party tool and my api is ignoring the altered properties and taking other properties and getting some data i need to restrict completly – user3501613 Dec 28 '20 at 12:12
  • But **why do you care** (about that `alert` in the screenshot)? What is the attack vector here? Just ignore the property - which the json parser will do for you _for free_. – mjwills Dec 28 '20 at 12:30
  • And in terms of the userid - is that the userid of the logged in user? If so, why pass it up at all? The server side knows who is logged in - get the details server-side as needed. – mjwills Dec 28 '20 at 12:32
  • @mjwills : it is a request from the security testing team to through an exception if any unknown keys are passed to the api call, in the above screenshot also the userId and stdyName will consider as undefined and it will execute the other code – user3501613 Dec 28 '20 at 12:43
  • 1
    Have you tried https://stackoverflow.com/questions/21030712/detect-if-deserialized-object-is-missing-a-field-with-the-jsonconvert-class-in-j ? – mjwills Dec 28 '20 at 13:05

0 Answers0