Geek asks and answers

How to protect MVC RESTful Urls from hacking?

I recently read an interesting article about the CitiGroup Hacking hacking incident http://www.nytimes.com/2011/06/14/technology/14security.html?_r=2&pagewanted=1&ref=technology

It made me think, say, I have a Employee sensitive data table in my database with 100,000 rows. The table has a primary key called Id, which is an Identity column.

An employee can enter the web portal, and his data will be obtained through RESTful Url ({Controller} / {Action} / {Id}), for example. / Employee / Details / 31

Now, to stop me by replacing the {Id} parameter for any parameter (for example, Id = 32) and getting data for employee number 32? Is this what happened to CitiGroup?

How do you prevent this? that is, when the User has already authenticated on the web portal but is not allowed to view the records of other users? Should I use some other "token" for the client in addition to the identifier?

+3
source share
3 answers

This is what I did for the exact same situation, first I declared an extension for the object:

public static bool Editable(this EXPENSE_OBJ e)
{
    if (e != null)
    {
       UserRepository ur = new UserRepository();

       if (ur.CurrentUser().UserId == e.UserId) //Check if the user owns the claim
       {
           return true; //User owns the claim
       }
       else
       {
           return false; //User does not own the claim
       }

    }
}

And then in the controller:

public ActionResult Details(id)
{
    var item = repo.GetItem(id);
    if(!item.Editable())
    {
         return View("InvalidURL");
    }

    ...

}
+3
source

You want to use ASP.NET Roles and Membership APIs. If you have already done this, then all you need to do to start is a tag controller with a tag IsUserInRole. Here you can find additional information about the role class:

MSDN Role Class

0
source

many-to-many, , . , - , , , . , , " " , . .

, , Guid int . .

0

More articles:


All Articles