Your SlideShare is downloading. ×
Model Binding in ASP.NET MVC
Model Binding in ASP.NET MVC
Model Binding in ASP.NET MVC
Model Binding in ASP.NET MVC
Model Binding in ASP.NET MVC
Model Binding in ASP.NET MVC
Model Binding in ASP.NET MVC
Model Binding in ASP.NET MVC
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Model Binding in ASP.NET MVC

3,545

Published on

A quick overview of how to secure your model binding in ASP.NET MVC

A quick overview of how to secure your model binding in ASP.NET MVC

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,545
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Tightly binding your model(Part of a series on ASP.NET MVC Security)
    Barry Dorrans
    MVP – Developer Security
  • 2. Introduction
    The ModelA class that encapsulates data and represents a business entity, for example an Order.
    The ViewThe user interface into an application.
    The ControllerManages communication between the UI and the model.
  • 3. Binding
    Binding takes input from a view and applies it to a model.
    For example
    A view contains a field called “PostCode”
    The model has a public get/set property called “PostCode”
    Binding uses the PostCode property on the model to render onto the view and takes the returned PostCode input value and sets the property on the Model.
  • 4. The Problem
    What if I add a field during form submission that has a property name matching that of the model? ....
  • 5. The Solution - FormDataCollection
    If your actions take FromDataCollections pass a string array of allowed bindable property names e.g.UpdateModel(boardPost, new[]{"Title","Content","Rating"});
  • 6. The Solution – Model Actions
    If your actions take an instance of a model object then set the bind attribute in your method definition e.g.[AcceptVerbs(HttpVerbs.Post)]public ActionResult Edit( [Bind(Include = "Title,Content")]BoardPostboardPost)
  • 7. The Solution – Model Based
    You can also apply the Bind attribute to your model classes – but this applies to all binding calls, which can be limiting.[Bind(Include="Title,Content")]public class BoardPosting{}
  • 8. The Solution – General
    Create a view specific model which has protected properties which are not bindable.
    Or be really nasty and create a custom binder. Propeller hats needed.
    You can also exclude rather than include – white listing is more secureExcludes may be suitable for model level restrictions.

×