Geek Answers Handbook

ASP.NET MVC: Make sure edit entry is enabled (ownership)

I have a multi-user ASP.NET MVC application. Users should not see or do anything with each other.

One of my actions with the controller is the required POST to / Edit to edit the record (for example, a contact). Now here is my problem: what if someone fakes a simple POST to / Edit (which automatically binds the model to my contact class) and edits other people's information? Since each entry is identified by an identifier, all that needs to be done is to make a fake POST with Id XXX, and then entry # XXX will be overwritten by everything that was provided by the attacker. How can i stop this?

The only thing I thought about was to retrieve the source instance each time first from the database, check that it is actually within the scope for editing objects (those that he usually sees for editing), and only if this check passes so that continue with UpdateModel and make changes to the update.

Is there a better way?

Edit: This is not a Cross Site / CSRF attack . Another registered user can do this.

+4
source share
4 answers

Authorization for presentation / page and authorization for a particular object are indeed two separate concepts. The best approach is to use the Authorize attribute in conjunction with the ASP.NET role system to grant or deny access to this page. Once you confirm that the user has access to the page, you can check whether he has permission that he is requesting for the object for which he is requesting it. I use this approach in my application and it works great. At first, using the Authorize filter, it significantly improves performance, since actually checking permissions on objects is much more difficult.

In addition, I use the home rule system to actually establish and determine if the user has access to the object. For example, on my system, administrators have full access to each object. (This is the rule.) The user who creates the objects has full access to the object (also specified by the rule). In addition, the user manager has full access to all the things that his employees have access to (again, the specified rule). My application then evaluates the object to see if any of the rules apply - starting with the most complex rule, and then moving to more complex rules. If any rule is positive, I stop evaluating the rule and exit the function.

+4
source

What you can do is to exclude the identifier in the model binding to this syntax:

public ActionResult Edit([Bind(Exclude="Id")] User userToEdit)

and then instead enter the identifier from the current user in the journal, so that only the user registered in the journal can edit their own elements and not use elses.

+1
source

At first, downloading the original recording and verifying the owner sounds like a good approach to me. Alternatively, you can add a hidden field containing the record identifier and cryptographically sign this field to make sure that it cannot be changed, or take the record identifier, hash it with the user identifier as a salt, and verify this (if you use membership providers you should use a unique provider identifier, not a login name)

0
source

This question reminded me of an article that addresses a similar problem (in the light of attacks on URL manipulation) that I made with a bookmark. They deal with authenticated user messing with another user's data. You may find this helpful: link text

Edit: this link must be correct: Preventing URL manipulation attacks

0
source

More articles:


All Articles