Web Security (4): Over-Posting and security-related posting

Web Security (4): Over-Posting and security-related posting

Introduction

Too many posts are relatively simple. Therefore, I only want to translate some key information in the original article. The original Article link is as follows:

Http://www.asp.net/mvc/overview/getting-started/getting-started-with-ef-using-mvc/implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application#overpost

Download sample code:

Https://code.msdn.microsoft.com/ASPNET-MVC-Application-b01a9fe8

Analysis

Suppose there is a class Student, which is used to establish a ing with the database, and you do not want to modify the value of a field Secret in Student on the page.

　　

Even if there is no Secret field on the interface, hacker can use some tools (such as fildder) or write js to send requests to modify the Secret value.

For example, the Secret value is changed to OverPost.

 Prevent

In ASP. NET, there are several methods to prevent too many releases:

1. Use the Include attribute in BindAttribute to add the fields to the whitelist.

　　Public ActionResult Create ([Bind (Include = "LastName, FirstMidName, EnrollmentDate")] Student student)

2. Use the Exclude attribute in BindAttribute to add fields that cannot be mapped to the blacklist.

　　Public ActionResult Create ([Bind (Exclude = "Secret")] Student student)

3. Use the TryUpdateModel method to specify the fields to be mapped when verifying the Model.

　　If (TryUpdateModel (student, "", new string [] {"LastName", "FirstMidName", "EnrollmentDate "}))
{}

4. define a new class as the input parameter

Public class StudentForm
{
Public string LastName {get; set ;}

Public string FirstMidName {get; set ;}

Public DateTime EnrollmentDate {get; set ;}
}

 

Article Reprinted from: http://www.cnblogs.com/Erik_Xu/p/5497501.html