Web security Related (iv): Excessive publishing (over Posting)

Source: Internet
Author: User

Brief introduction

It's relatively simple to publish too much, so I'm just going to translate some of the key information from the original. The original link is as follows:

Http://www.asp.net/mvc/overview/getting-started/getting-started-with-ef-using-mvc/ Implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application#overpost

  

Sample code Download:

Https://code.msdn.microsoft.com/ASPNET-MVC-Application-b01a9fe8

Analysis

Suppose there is a class student, which is used to map a database and a field in student secret you do not want to modify its value on the page.

  

Even if there are no secret fields on the interface, hacker can modify secret values by using some tools (such as Fildder) or writing JS to send requests.

  

For example, the value of secret is modified to Overpost.

Prevent

In ASP. NET, there are probably several ways to prevent too many publications:

1. Use the Include attribute in Bindattribute to add the fields that need to be mapped to the whitelist.

Public ActionResult Create ([Bind (Include = "LastName, Firstmidname, enrollmentdate")]student Student)

2. Use the properties in Bindattribute to Exclude add a blacklist of fields that are not allowed to be mapped.

Public ActionResult Create ([Bind (Exclude = "Secret")]student Student)

3. Use the TryUpdateModel method to validate the model by setting the fields that need to be mapped.

if (TryUpdateModel (student, "", new string[] {"LastName", "Firstmidname", "EnrollmentDate"}))

{

}

  

4. Define a new class as the input parameter

public class Studentform

{

public string LastName {get; set;}

public string Firstmidname {get; set;}

Public DateTime enrollmentdate {get; set;}

}

Web security Related (iv): Excessive publishing (over Posting)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.