ASP.NET MVC - Think Before You Bind
I don't know about most of you out there, but I know that I am extremely excited about the impending release of ASP.NET MVC. I'm even more curious though about what kind of adoption we are going to start seeing out of the gate, especially being that companies have invested so much money in developers learning ASP.NET Web Forms. There is one thing that could stand in the way of adoption, and that is horror stories coming from early adopters about security issues or flaws in production web applications that were overlooked because developers didn't have to think as much about these kinds of issues in ASP.NET Web Forms.
Most of these issues revolve around escaping output that is going into the HTML and dealing with post data manually. Something that I have been looking at recently is the model binding abilities that ASP.NET MVC provides us. In case you aren't familiar with what I am talking about, it is now possible to tell ASP.NET to bind a class on an action method using a default model binder.
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)
Comments
Matthew Zalewski replied on Sun, 2009/03/29 - 2:47pm
How about this idea:
Add a hidden input field to your form containing a MD5 hash generated from the concatenated names of the input fields - we could also append some global private key for added security (people can't generate the correct hash without knowing the key).
The model binder is required to perform the same hash generation when the form is submitted, and if they don't match then an exception is thrown.