A quick overview of how to secure your model binding in ASP.NET MVC

1. Tightly binding your model(Part of a series on ASP.NET MVC Security) Barry Dorrans MVP – Developer Security

2. Introduction The ModelA class that encapsulates data and represents a business entity, for example an Order. The ViewThe user interface into an application. The ControllerManages communication between the UI and the model.

3. Binding Binding takes input from a view and applies it to a model. For example A view contains a field called “PostCode” The model has a public get/set property called “PostCode” Binding uses the PostCode property on the model to render onto the view and takes the returned PostCode input value and sets the property on the Model.

4. The Problem What if I add a field during form submission that has a property name matching that of the model? ....

5. The Solution - FormDataCollection If your actions take FromDataCollections pass a string array of allowed bindable property names e.g.UpdateModel(boardPost, new[]{"Title","Content","Rating"});

6. The Solution – Model Actions If your actions take an instance of a model object then set the bind attribute in your method definition e.g.[AcceptVerbs(HttpVerbs.Post)]public ActionResult Edit( [Bind(Include = "Title,Content")]BoardPostboardPost)

7. The Solution – Model Based You can also apply the Bind attribute to your model classes – but this applies to all binding calls, which can be limiting.[Bind(Include="Title,Content")]public class BoardPosting{}

8. The Solution – General Create a view specific model which has protected properties which are not bindable. Or be really nasty and create a custom binder. Propeller hats needed. You can also exclude rather than include – white listing is more secureExcludes may be suitable for model level restrictions.