ASP.NET MVC的UpdateModel容易被黑客攻击？ [英] ASP.NET MVC UpdateModel vulnerable to hacking?

问题描述

我有一个ASP.NET MVC应用程序，日历等。根据该NerdDinner范例例子中，我使用UpdateMethod更新我的编辑页面的结果（）

在我的应用程序，某些事件是完全可定制和特定的人只有部分定制。即使编辑部分定制事件编辑表单只能提供这些领域，显然有人可以创建自己的形式与丢失的数据，并上传到我的网站。如果他们这样做，有什么让他人更改任何/所有领域？更糟的是，如果他们试图改变ID（主键）？

这感觉就像的UpdateModel（）很容易受到非常基本的黑客。是我的恐惧合法的或者是有什么我失踪？

  // POST：/ MyEvents /编辑/ 2
的[AcceptVerbs（HttpVerbs.Post），授权]
公众的ActionResult编辑（INT ID，的FormCollection formValues​​）
{
    MyEvent myevent = eventRepository.GetMyEvent（ID）;    尝试
    {
        的UpdateModel（myevent）;
        eventRepository.Save（）;
        返回RedirectToAction（详细信息，新{ID = myevent.MyEventId}）;
    }
    抓住
    {
        ModelState.AddRuleViolations（myevent.GetRuleViolations（））;
        返回查看（新MyEventFormViewModel（myevent））;
    }
}
 

解决方案

您错过的模型绑定安全一节。你应该总是将可以通过您的任何用户输入方法更新的属性的白名单。

例如，来自的NerdDinner：

 的[AcceptVerbs（HttpVerbs.Post）
公众的ActionResult创建（[绑定（包括=标题，地址）晚餐晚餐）
{}
 

如果你调用的UpdateModel，您可以创建允许属性的字符串数组，并做

 的UpdateModel（myObject的，allowedProperties）;
 

您可以锁定类本身，使只有某些属性更新为好。

  [绑定（包括=MyProp1，MyProp2，MyProp3）]
公共部分类myEntity所{}
 

I have an ASP.NET MVC application that is calendar-like. As per the NerdDinner example, I'm updating the results of my edit page using UpdateMethod()

In my app, certain events are fully customizable and certain ones are only partially customizable. Even though the edit form for editing the partially customizable events only have those fields available, obviously someone could create their own form with the missing data and post to my site. If they do so, what's to keep someone from changing any/all fields? Worse, what if they tried to change the id (primary key)?

It feels like UpdateModel() is vulnerable to very basic hacking. Are my fears legitimate or is there something I'm missing?

// POST: /MyEvents/Edit/2
[AcceptVerbs(HttpVerbs.Post), Authorize]
public ActionResult Edit(int id, FormCollection formValues)
{
    MyEvent myevent = eventRepository.GetMyEvent(id);

    try
    {
        UpdateModel(myevent);
        eventRepository.Save();
        return RedirectToAction("Details", new { id = myevent.MyEventId });
    }
    catch
    {
        ModelState.AddRuleViolations(myevent.GetRuleViolations());
        return View(new MyEventFormViewModel(myevent));
    }
}

解决方案

You're missing the section on "Model Binding Security". You should always include a whitelist of properties that can be updated by any of your user input methods.

For example, from NerdDinner:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create( [Bind(Include="Title, Address")] Dinner dinner)
{

}

or if you're calling UpdateModel, you can create a string array of allowed properties, and do

UpdateModel(myObject, allowedProperties);

You can lock down the classes themselves so that only certain properties are updateable as well.

[Bind(Include="MyProp1,MyProp2,MyProp3")]
public partial class MyEntity { }

这篇关于ASP.NET MVC的UpdateModel容易被黑客攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！