Validate attempted fraud when editing record with C# MVC

Asked

Viewed 124 times

0

In my applications was leaves the entity ID inside HTML being a hidden object. Example:

@Html.HiddenFor(m => m.EntidadeID)

But, I identified that I can edit HTML easily and in POST I can receive an invalid value.

Before the Action of controller was like this:

[HttpPost]
[Authorize]
public ActionResult Detalhar(Entidade model)
    using (var db = new Conexao())
    {
        var registro = db.Entidade.Find(id);
        // continuação do código

If you take the ID from the URL, I identified that even changed before the POST the value sent was not changed but the original.

I changed the Action to look like this:

[HttpPost]
[Authorize]
public ActionResult Detalhar(int id, Entidade model)
{
    using (var db = new Conexao())
    {
        var registro = db.Entidade.Find(id);
        // continuação do código

But I identified another situation, that when using @using (Html.BeginForm()), is mounted to <form action="/Entidade/Detalhar/5" method="post"> and the user can change the value of 5 to any value he wants, thus generating an invalid data change.

Doubt

Is getting the entity ID from the "URL" safer? Or what would be the alternatives to decrease attempts at data fraud.

Updated doubt

If the user requests the ID 5, will remain http://site/Registro/Detalhar/5, if he changes the ID to 10 before doing the POST, I saw that the controller understands that the ID is 5, however, there is some way to circumvent the number and try to switch from 5 to 10, and the controller receive 10? Similar to what we can do with HTML.

c# asp.net-mvc asp.net-mvc-4

  • why not use Tempdata ?

  • There should not be "data fraud" in a method that aims to only detail a record. You say something about me passing an id from another record that shouldn’t have access?

  • 1

    If you want to make indiscriminate consultation difficult to detail products, instead of passing the id, you could assign an alpha-numeric code as a Guid to do the queries. So the user would have to "guess" the code instead of typing the sequences.

  • @Leandroangelo I already have in a validation whether or not the user can access the record. But in HTML was putting @Html.HiddenFor(m => m.EntidadeID) and this HTML element I can handle in Chrome F12. My question: Is there any way for the user to change the ID in the url and the controller to understand the new value. I updated the question.

  • 1

    If you are sending with a POST, the user can change whatever he wants in the url that will not be sent because the data that will be submitted is only inside a form, for url only serves to search the record. If it changes the value in the url and searches with this new value, then yes, you can load information from another record on screen, but as you already reported that you have access validation, then you have nothing to worry about. Anyway, encrypt the id hides in the url and in your form, so before you keep decrypting and perform the validations.

1 answer

0

If the user asks for the ID 5, it will be http://site/Registration/Detailing/5, if it changes the ID to 10 before doing the POST, I saw that the controller understands that the ID is 5.

Yes, it remains 5 because the value passed in the route is used in the Model that is loaded even before HTML, which in turn is populated in Hiddenfor.

However, is there any way to swipe the number and try to switch from 5 to 10, and the controller get 10?

Changing the value in the URL path does not require reloading the page so that the new Entity ID is loaded into Hidderfor. But, you can circumvent this by simulating an AJAX/POST script and sending any values to your application. One of the ways to block this type of submission is by properly configuring Cross Domain Requests. There are a number of security settings that you can apply. Take a look here on this website.

Browser other questions tagged c# asp.net-mvc asp.net-mvc-4

You are not signed in. Login or sign up in order to post.