Home > Security, Uncategorized > Over posting or mass assignments vulnerability in ASP.Net MVC

Over posting or mass assignments vulnerability in ASP.Net MVC

In Visual Studio, ASP.NET MVC comes with a great productivity feature called scaffolding. It is a code generation feature that generates a controller, view and the database calls if you are using Entity Framework to communicate to the database. If developers are not careful, they may expose the application to the over posting or mass assignment security vulnerability.

To understand the vulnerability, you need to understand how the Model Binder works in ASP.NET MVC.

The source code for this article is at https://github.com/lajak/SecureAspMvc/tree/OverPosting.

Let’s start with creating some artifacts

Create a new ASP.NET MVC project

Create a new model

        public int Id { get; set; }
        public string Firstname { get; set; }
        public string Lastname { get; set; }
        public string Role { get; set; }

Create UserController

  • Right click on the Controllers folder
  • Click on Add and select Controller
  • On the dialog, select MVC controller with read/write (lets keep it simple and not over complicate the example)
  • In the Create Action method, right click on the View function and click on Add View menu item

  • Fill the dialog as shown below.

On clicking the Add button, Visual Studio will generate a for creating a user. The view will be named create.cshtml and will be located in the Views\Users folder

Run the application and browse to http://localhost/user/create

  • Go back to the UserController
  • On Create Action method that is decorated with the HttpPost attribute, change the parameter type to UserModel and the parameter name to model as shown on the picture below. Also place a breakpoint at the return statement. We don’t have a view for the Index page. But we don’t need for this post.

Run the website in debug mode

Browse to http://localhost/user/create

Fill the form

Click the Create button

The code should break at the breakpoint

Hover over the model parameter and expand the properties

Notice that the Binder mapped the values that you entered in the form to the properties in the object

Now, stop the debugger and go to the Create.cshtml page. Let’s assume that the requirement was to hide the id field. The developer goes and delete the highlighted code

Run the code again and browse to the create method

Notice that the Id field is no longer showing up

If we run the code and populate the fields, the Id property won’t be populated.

As someone who wants to exploit this vulnerability, I can inject that id parameter into the request.

It is easier to use a tool like Fiddler or Burp to intercept the request and add the extra attributes to the payload but we can use the F12 developers tools as well

Click F12

Right click on

<form action="/user/Create" method="post">

Edit as Html and add the following line

<input name="Id" class="form-control" id="Id" type="number" value="111111111" data-val-required="The Id field is required." data-val="true">

Click outside the form attribute

Notice that we can see the field

Fill the other fields and hit create

Notice that the Binder binds the value of the id field to the Id property


We showed a trivial example for the over posting vulnerability. A more realistic example would be showing more or less fields based on the user role. If the developer only uses an if statement in the cshtml code to show fields based on the user role, the developer might be exposing the application to the over posting vulnerability. In the next post, I will show how to protect your application from this vulnerability.

Categories: Security, Uncategorized Tags: ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: