Never trust data submitted from a web page is a core security concept for web development. When using an MVC framework, this statement takes on added relevance. MVC frameworks rely heavily on binding querystrings, route values and form values to in-code objects.
Take for example the scenario where an authenticated user needs to update their profile. A common pattern in MVC would be to first load the the user in a controller and pass the user object to a View which renders the html to be sent to the browser:
[Authorize]
ActionResult UserDetails(int userId)
{
var user = respository.GetUser(userId);
return View(user);
}
Another controller will then receive the Http Post from the update page and process the update:
[HttpPost]
[Authorize]
ActionResult UserDetails(User user)
{
respository.UpdateUser(user);
return View(user);
}
This works seamlessly, and developers are often comforted by the [Authorize] attribute which mandates that the user must first have logged in to the service and been authenticated to access the update page.
The vulnerability here is that when the page is sent to the user the html will contain the userid (typically in a hidden field), this forms part of the Http Post sent back to the server and is used as the primary key to determine which record to update. Using a tool such as Fiddler it is trivial to change this userid to any value and hence update any user record (attackers will often change a userid to 1 which is usually an admin account).
Accepting Data From a Trusted Source
The first defense against parameter tampering to only accept data from a trusted source where possible. In the above scenario, this could mean only accepting the data from the ASP.NET Membership provider:
[HttpPost]
[Authorize]
ActionResult UserDetails(User user)
{
//Test is submitted user.Name is the same as the current logged in user
if(user.Name == User.Identity.Name)
{
respository.UpdateUser(user);
return View(user);
}
else
{
//error
}
}
Encrypting and Decrypting Key Values
A more generalised solution is to pass down an encrypted value to the webpage and then decrypt and test this against the key value on the Http Post. Take for example an orderId which is used to update and order details (such as the address the order is to be sent to).
First, in the controller we can create an encrypted value of the key orderId field using the MachineKey API:
ActionResult OrderDetails(int orderId)
{
var order = respository.GetOrder(orderId);
var orderidBytes = Encoding.UTF8.GetBytes(orderId);
var encryptedOrderId = MachineKey.Encode(plaintextBytes, MachineKeyProtection.All);
ViewBag.OrderIdEncrypt = encryptedOrderId;
return View(order);
}
In the Razor view, simply add the ViewBag.OrderIdEncrypt in a hidden field within the form:
...
@Html.Hidden("OrderIdEncrypt", ViewBag.OrderIdEncrypt)
...
Now when the form is posted back there will be a OrderIdEncrypt value on the form. This can then be decrypted with the MachineKey API and compared to the submitted value of OrderId:
[HttpPost]
[Authorize]
ActionResult OrderDetails(Order order, string orderIdEncrypt)
{
var decryptedOrderIdBytes = MachineKey.Decode(encryptedValue, MachineKeyProtection.All);
var unEncryptedOrderId = Encoding.UTF8.GetString(decryptedBytes);
if(unEncryptedOrderId == order.Id)
{
respository.UpdateOrder(order);
return View(order);
}
else
{
//test failed - send error message
}
}
This solution could of course be cleaned up a lot – an enhancement would be firstly to have an computed field on the Order model which returns an encrypted value of the orderId and a helper method IsOrderIdValid which would compare an encrypted orderId value to a plain text orderId. This would clean up the solution and minimise the amount of logic in the controller.
In addition to tampering with existing values in a form, MVC frameworks are also vulnerable to adding additional parameters which are then bound to objects. This is commonly referred to as a Mass Assignment vulnerability and will be dealt with in my next article article.