Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security with QueryString values in Asp.net MVC

How do you properly ensure that a user isnt tampering with querystring values or action url values? For example, you might have a Delete Comment action on your CommentController which takes a CommentID. The action url might look like /Comments/Delete/3 to delete the comment with the id 3.

Now obviously you dont want anyone to be able to delete comment 3. Normally on the owner of the comment or an admin has permission to do so. Ive seen this security enforced different ways and would like to know how some of you do it.

Do you make multiple Database calls to retrieve the comment and check that the author of the comment matches the user invoking the delete action?

Do you instead pass the CommentID and the UserID down to the stored procedure who does the delete and do a Delete where UserID and CommentID equal the values passed in?

Is it better to encrypt the query string values?

like image 891
Vyrotek Avatar asked Oct 29 '08 02:10

Vyrotek


People also ask

Can we use QueryString in MVC?

In asp.net mvc we can pass query string with Optional Parameter and also without Optional Parameter.

How do you set a value in a QueryString request?

So if you're asking how to deal with the value of a query string you just simply access it Request. QueryString["key"]. If you're wanting this 'change' in query string to be considered by the server you just need to effectively reload the page with the new value. So construct the url again page.

How do I hide QueryString?

If you want to hide the query string in the URL, you need to use POST to deliver the ID in the body of the request instead of the query string.


5 Answers

You don't.

It is a cardinal rule of programming, especially in this day and age, that you never trust any input which comes from the user, the browser, the client, etc.

It is also a cardinal rule of programming that you should probably not try to implement encryption and security yourself, unless you really know what you are doing. And even if you do know what you are doing, you will only remain one step ahead of the tard-crackers. The smart ones are still going to laugh at you.

Do the extra query to ensure the logged-in user has the right set of permissions. That will make everyone's lives just that much simpler.

like image 101
yfeldblum Avatar answered Oct 10 '22 23:10

yfeldblum


Enrypting and decrypting query params is a trivial process and there are some great examples of how to do so using an HttpModule here on StackOverflow.

"You Don't", "You can't", or "It's not easy" are simply not acceptable responses in this day and age...

like image 37
Ed DeGagne Avatar answered Oct 10 '22 22:10

Ed DeGagne


Vyrotek: The input method is not important. GET, POST, encrypted/obfuscated GET - no real difference. No matter the way your application receives commands, to perform an administrative action it must make sure that the issuing user is allowed to do the stuff he wants. The permission check must take place AFTER the command is received and BEFORE it gets executed. Otherwise it's no security at all.

like image 21
rciq Avatar answered Oct 10 '22 21:10

rciq


Consider using technique outlined in Stephen Walther's article Tip #46 – Don’t use Delete Links because they create Security Holes which uses [AcceptVerbs(HttpVerbs.Delete)]

like image 41
Arnold Zokas Avatar answered Oct 10 '22 22:10

Arnold Zokas


You can also allow only Post requests to Delete controller action by using the Accept Verbs attribute as seen below.

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Delete(int? id)
{
    //Delete
}

Then you could also use the antiforgery token as discussed here:

http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

like image 30
Schotime Avatar answered Oct 10 '22 22:10

Schotime