In mvc, when submitted to a controller, how can I verify that a user hasn't maliciously changed readonly hidden form fields?
When displaying the form fields render a hidden field that contains a hash for the displayed values.
When receiving the post request hash the received data again and compare this hash to the value of the hidden field.
Two options I can think of:
Encrypt the fields when displaying them, then decrypt server side and use the value
Don't store sensitive information in hidden fields and instead store them in the session (recommended)
Related
I set a data-id="2" attribute on a HTML input tag. For example: <input data-id="2" value="test"/>. How do I retrieve this value in my action? I'm using dynamic text inputs where they can be sub inputs themselves.
The action can only access data which has been submitted to it (using POST or GET). If you want to be able to access the id, you'll need to grab that value using Javascript and send it with the other form data when the form is submitted.
I'm using ASP.net MVC5 and I have just created a simple search form. Upon submitting, the controller is called with GET parameters.
The thing is that all parameters are sent regardless if the user has filled it resulting in an ugly & bigger URL that is needed.
So, what needs to be done in order that the form won't send null/empty fields?
I'm using MVC for my data entry form and I have the following div:
<div>
<label>Bar Code:</label>
#if (Model.GiftCardId == default(int))
{
#Html.TextBoxFor(model => model.BarCode)
}
else
{
#Html.TextBoxFor(model => model.BarCode, new { #readonly="readonly"})
}
</div>
Here, I'm making sure that if the user is entering a new gift card, an editable input is displayed to allow the user to enter a new bar code. But if the user is editing an existing gift card, the input must display as a readonly input. My question is: can the user alter the readonly attribute of the barCode input and allow himself to enter a different one? The BarCode field is not the primary key in the table but it must be unique. I use the GiftCardId field to identify the record. But then, what's to stop the user from changing the GiftCardId as well when submitting the form? How can this be controlled?
I understand this to be a security-related question: ie. can the user hack the form to do something with it that you didn't intend.
The answer is yes, a user can use tools like Firebug to interfere with the markup, thereby changing the readonly attribute.
You don't show how the GiftCardId is collected from the user. Assuming it is collected and validatated in a previous view / action method, a more secure approach would be to redirect to a different view depending on whether the GiftCardId is valid / new or not.
Edit after comments
A couple of suggestions.
Store the GiftCardId in session state rather than send it to the browser.
Use a one-way hashing function to generate a token from the GiftCardId and send it to the browser in a hidden field. Rehash the GiftCardId that is posted back and check that it matches the original hash. See this short article on creating an MD5 hash.
simple answer is "Yes", all request can be forged, that's why you should never trust user inputs and validate the user inputs on the server side.
What you can do really depends on what you needs and the implication of the GiftCardId been modified. Things you could do in addition to the server side validation,
1. hide the field instead of making it visible
2. encrypt the GiftCardId
I understand that fields such as Html.TextBox() accept two values, the first one being the name and the second one being the value. And so does Html.TextArea(). But in a case where the form is submitted as AJAX and the div where the form is placed is replaced with a view from the server, the form fields insist on taking the previous values. An image is worth a thousand words:
image http://img132.imageshack.us/img132/4171/aspnetmvcbug.png
I've checked everything on the controller and the model and the image is from debugging the view itself. The model is empty but the fields generated from it take the value of the previous submission.
The postback data is held in the ModelState. The built in HtmlHelper methods will look for values stored in the model state based on the name of the form element when rendering their content.
Check the View.ModelState property. Forms can grab values from there in certain circumstances.
Do you have an entry ViewData["Body"]? MVC will also attempt to bind a control to a ViewData item based on the name.
I am using javascript to append user selections to a list. When user is done , which is the best way to go:
1: create index for the list and submit as model in a form to the controller?
2: create hidden element and use javascript to append values and submit as actionlink? (not sure how to tell actionlink the value here)
3: wrap form block around the hidden element only and submit string as model?
other?
I think the easiest way is to put some form of your list to the hidden field (type=hidden) and it will be automatically submitted with form and accessible on server under the name you gave it. So main reasoning here is the way you going to process these data on the server side.
First of all, Scott Hanselman has a good post about model binding to arrays, collections, etc.
In my opinion you shouldn't use second way because this will be a vulnerability ( description of CSRF).
In order to use collections binding you'll need to wrap a form around a list and submit it (note, this form will submit only selected values in this list but you may select them all before submit) or to create a map of values and submit it via javascript (for jQuery - $.post(url, data, callback)) or to add all pairs of name&value to some hidden element of a form and submit it.