CODEWITHSUNDEEP
asp.netasp.net-mvc
Steven Spielberg
Steven Spielberg

Reputation:

ASP.NET MVC application security

Today i test my ASP.NET MVC web-application and i find out anyone can easily submit a form of our website without coming on my website?

Ex: example.com/home/test

[HttpPost]
public ActionResult Test(string name)
{
    return View("home");
}  

<form id="myForm" method="post" action="example.com/home/test">
    <input type="text" name="name" />
    <input type="submit" />
</form>

if other website make this form that when user fill the form that my website will be affect.

Are i can check the request made by user through my website or other.

Upvotes: 4

Views: 467

Answers (4)

jim tollan
jim tollan

Reputation: 22485

steven,

in addition to the suggestions above (which for the life of me, i can't understand why they work CS). anyway, additionally, you can examine the origin of the request inside the controller:

var origReq = HttpContext.Request.UrlReferrer;

or, examine the headers and determine your 'action' based on the contents:

var headers = HttpContext.Request.Headers;

[edit] - of course, 'headers' can be tampered with (depending on how determined someone was to x'post to your site), so you could probably only use these for informational purposes - it's not a 100% certainty...

you can then decide if this 'post' is allowed or not depending on whether it originated from your domain (or a domain that is approved) or not.

jim

Upvotes: 0

Kelderro
Kelderro

Reputation: 11

Steven, I can recommend you to watch the video: The HaaHa Show: Microsoft ASP.NET MVC Security with Haack and Hanselman

After 24 minutes they discuss how to protect a MVC site with the Html.AntiForgery tag and show how you can implement this in a MVC website.

Upvotes: 1

DM.
DM.

Reputation: 1847

It sounds like you may be looking for some Cross-Site Request Forgery (CSRF) help. ASP.NET MVC has a pretty simple tool to help with that:

If you include: <%= Html.AntiForgeryToken() %> inside the form that is being submitted then you can mark your action method with the [ValidateAntiForgeryToken] attribute and have a pretty good handle on stopping CSRF attacks. Don't take my word for it, check out Steve Sanderson's [old] blog post about it and it should have all the background and information you'll need.

http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Upvotes: 6

Richard Poole
Richard Poole

Reputation: 3984

Use the [Authorize] filter to prevent anonymous users from accessing controllers or actions.

http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx

Upvotes: 5

Related Questions