This document discusses binding models in ASP.NET MVC and how to tightly control which properties can be updated. It describes how binding works to apply view input to model properties. The main problem is that malicious input could update any property. The solutions covered are using a FormDataCollection and specifying allowed properties, adding a Bind attribute to actions or models to define an include list of updatable properties, and creating a view-specific model with protected properties.

1. Tightly binding your model(Part of a series on ASP.NET MVC Security) Barry Dorrans MVP – Developer Security

2. Introduction The ModelA class that encapsulates data and represents a business entity, for example an Order. The ViewThe user interface into an application. The ControllerManages communication between the UI and the model.

3. Binding Binding takes input from a view and applies it to a model. For example A view contains a field called “PostCode” The model has a public get/set property called “PostCode” Binding uses the PostCode property on the model to render onto the view and takes the returned PostCode input value and sets the property on the Model.

4. The Problem What if I add a field during form submission that has a property name matching that of the model? ....

5. The Solution - FormDataCollection If your actions take FromDataCollections pass a string array of allowed bindable property names e.g.UpdateModel(boardPost, new[]{"Title","Content","Rating"});

6. The Solution – Model Actions If your actions take an instance of a model object then set the bind attribute in your method definition e.g.[AcceptVerbs(HttpVerbs.Post)]public ActionResult Edit( [Bind(Include = "Title,Content")]BoardPostboardPost)

7. The Solution – Model Based You can also apply the Bind attribute to your model classes – but this applies to all binding calls, which can be limiting.[Bind(Include="Title,Content")]public class BoardPosting{}

8. The Solution – General Create a view specific model which has protected properties which are not bindable. Or be really nasty and create a custom binder. Propeller hats needed. You can also exclude rather than include – white listing is more secureExcludes may be suitable for model level restrictions.