Web security Related (iv): Excessive publishing (over Posting)

Brief introduction

It's relatively simple to publish too much, so I'm just going to translate some of the key information from the original. The original link is as follows:

Http://www.asp.net/mvc/overview/getting-started/getting-started-with-ef-using-mvc/ Implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application#overpost

　　

Sample code Download:

Https://code.msdn.microsoft.com/ASPNET-MVC-Application-b01a9fe8

Analysis

Suppose there is a class student, which is used to map a database and a field in student secret you do not want to modify its value on the page.

　　

Even if there are no secret fields on the interface, hacker can modify secret values by using some tools (such as Fildder) or writing JS to send requests.

　　

For example, the value of secret is modified to Overpost.

Prevent

In ASP. NET, there are probably several ways to prevent too many publications:

1. Use the Include attribute in Bindattribute to add the fields that need to be mapped to the whitelist.

Public ActionResult Create ([Bind (Include = "LastName, Firstmidname, enrollmentdate")]student Student)

2. Use the properties in Bindattribute to Exclude add a blacklist of fields that are not allowed to be mapped.

Public ActionResult Create ([Bind (Exclude = "Secret")]student Student)

3. Use the TryUpdateModel method to validate the model by setting the fields that need to be mapped.

if (TryUpdateModel (student, "", new string[] {"LastName", "Firstmidname", "EnrollmentDate"}))

{

}

　　

4. Define a new class as the input parameter

public class Studentform

{

public string LastName {get; set;}

public string Firstmidname {get; set;}

Public DateTime enrollmentdate {get; set;}

}

Web security Related (iv): Excessive publishing (over Posting)