Model Binding in ASP.NET MVC

3,826 views

Published on

A quick overview of how to secure your model binding in ASP.NET MVC

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,826
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Model Binding in ASP.NET MVC

  1. 1. Tightly binding your model(Part of a series on ASP.NET MVC Security)<br />Barry Dorrans<br />MVP – Developer Security<br />
  2. 2. Introduction<br />The ModelA class that encapsulates data and represents a business entity, for example an Order.<br />The ViewThe user interface into an application. <br />The ControllerManages communication between the UI and the model.<br />
  3. 3. Binding<br />Binding takes input from a view and applies it to a model.<br />For example<br />A view contains a field called “PostCode”<br />The model has a public get/set property called “PostCode”<br />Binding uses the PostCode property on the model to render onto the view and takes the returned PostCode input value and sets the property on the Model.<br />
  4. 4. The Problem<br />What if I add a field during form submission that has a property name matching that of the model? ....<br />
  5. 5. The Solution - FormDataCollection<br />If your actions take FromDataCollections pass a string array of allowed bindable property names e.g.UpdateModel(boardPost, new[]{&quot;Title&quot;,&quot;Content&quot;,&quot;Rating&quot;});<br />
  6. 6. The Solution – Model Actions<br />If your actions take an instance of a model object then set the bind attribute in your method definition e.g.[AcceptVerbs(HttpVerbs.Post)]public ActionResult Edit( [Bind(Include = &quot;Title,Content&quot;)]BoardPostboardPost)<br />
  7. 7. The Solution – Model Based<br />You can also apply the Bind attribute to your model classes – but this applies to all binding calls, which can be limiting.[Bind(Include=&quot;Title,Content&quot;)]public class BoardPosting{} <br />
  8. 8. The Solution – General<br />Create a view specific model which has protected properties which are not bindable.<br />Or be really nasty and create a custom binder. Propeller hats needed. <br />You can also exclude rather than include – white listing is more secureExcludes may be suitable for model level restrictions.<br />

×