Skip to main content

Top 4 Ways To Stop Mass Assignment Attack in ASP.NET Core MVC


Mass assignment or over posting is an attack on websites that binds models to request. This is where active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status. Because the attack is use to set or alter values that the developers does not expect to be by the user.


Scenarios of Mass Assignment Attack


To demonstrate how mass attack work, take for instance a web application, that has many users with different level of privileges and roles on the website. Each user is restricted on some point on what and what not to do while on the website, with the admin as the only user that have absolute role to control and do all things in the website. With mass attack a user can simply take over the role of the admin in the website and start doing things that is outside his roles and privileges.


For Instance, Let say you have a model:


public class UserModel
{
   public string UserName { get; set; }
   public bool IsAdmin { get; set; }
}
The model has two properties but you only want the user to edit the UserName property. While the IsAdmin property is used to determine the type of markup to serve depending if the request is coming from a user or and admin.


@model UserModel

<form asp-action="Attack" asp-Controller="Home">  
   <div class="form-group">
       <label asp-for="UserName"></label>
       <input class="form-control" type="TextBox" asp-for="UserNAme" />
   </div>
   <div class="form-group">
       @if (Model.IsAdmin)
       {
           <i>This is an admin</i>
       }
       else
       {
           <i>This is a normal user</i>
       }
   </div>
   <button class="btn btn-sm" type="submit">Submit</button>
</form>



In this scenario, you want your website to serve a particular markup on normal user and a different one when the request is coming from an admin. The website is cool, when a user submits a form only the UserName is sent to the server and when model binding occurs, only the UserName field is set while IsAdmin field remains unset. Everything looks ok, until a malicious user sets the IsAdmin field to True with little HTML manipulation, at this point, the malicious user can now do things that were exclusive to only Admin, takes control of your website and probably revokes your admin privilege and makes you a normal user. Lol but don’t worry i will show quickly ways to avoid that.


How to avoid mass assignment
Is it possible to stop this attack? Sure, there are ways that this attack can be stopped and there are a whole lot of them and i will show you some options that can be applied to stopped this attack.


1.  Use [Editable] on the model


public class UserModel  
{
   [Required]
   public string UserName { get; set; }

   [Editable(false)]
   public bool IsAdmin { get; set; }
}


In this case, you make use of Dataannotations. Dataannotations are used to provide additional metadata on model and also used for validation for instance the [Required]. This approach will make model binder to ignore any posting to IsAdmin field.


While this approach is good but it has a downside, in situation where you will want to update the IsAdmin field, this will make it difficult and brings unnecessary complexity to your code base.


2. Use separation of Concerns in models
This approach involves separating concerns by using two different models, that encapsulates different parts of the system. This approach is better, because it provides opportunity to stops mass assignment while also making it easy to update your IsAdmin field in situations where it’s needed.


public class ViewsModel  
{
   [Required]
   public string UserName { get; set; }
}

public class UserModel  
{
   [Required]
   public string UserName { get; set; }

   [Editable(false)]
   public bool IsAdmin { get; set; }
}


In this scenario, there’s separation of concerns because our UserModel is the model that’s providing the data needed for model binding while another model is used by View for generating markup. This approach will stop mass assignment because targeting the ViewsModel will not yield any result as it does not have the IsAdmin field.


While this approach is cool, it also has it’s downside. The downside is duplication of property, that means any time a change it’s made to any of the model, that same change needs to be replicated on the corresponding model. While these seems trivial, it can be a pain in the ass in large applications.



3. Inherit from a Base Class
This approach involves inheriting from a base class in situations you have a common property.


public class ViewsModel  
{
   [Required]
   public string UserName { get; set; }
}

public class UserModel : ViewsModel  
{
   public bool IsAdmin { get; set; }
}


This approach also involves separation of concerns that solves the problem of mass assignment and also solves the problem of duplication of field that have common property.

4.  Use ModelMetadataTypeAttribute

This approach also involves separation of concerns, that will stop mass assignment, with an approach of solving the issue of replication of Dataannotations. It does this by allowing you to defer  Dataannotations and other metadata to a different class.


[ModelMetadataType(typeof(UserModel))]
public class ViewsModel  
{
   public string UserName { get; set; }
}

public class UserModel  
{
   [Required]
   public string UserName { get; set; }

   public bool IsAdmin { get; set; }
}

One thing to bear in mind in this approach, there is relationship between this two model now, a change to UserName in UserModel will also require same change to be made to the UserName in Viewsmodel. If a change is make to the latter while same change has not been replicated on the former, though it won’t generate an error but the Dataannotations and other metadata won’t be applied again.

Comments

Popular posts from this blog

How to implement RESTful API Versioning in ASP.NET Web API 2 using IHttpRouteConstraint

The only thing constant in life is change, and that is proved everyday in our industry, API’s are cool to extend the functionality of your application and expose it to other developers. The cool thing about IT and software, it’s that things changes quite rapidly and so it’s the technology, hence technology can change and the needs of your organisation can change, hence in order to keep serving this evolving needs and keep been relevant, your api might need to change also. Small changes can be accommodated within the initial version, but changes that will risked breaking the existing code, will required the need for versioning.

Implementing a custom IHttpRouteConstraint

According to msdn, a IHttpRouteConstraint simply Represents a base class route constraint. What then is a route constraint? A route constraint simply gets or sets a dictionary of expressions that specify valid values for a URL parameter.

publicclassApiVersionRouteConstraint : IHttpRouteConstraint
  {

publicApiVersionRouteCo…

How to implement multi-tenancy with subdomains using Route Constraint in ASP.NET MVC

According to Wikipedia, The term "software multitenancy" refers to a software architecture in which a single instance of software runs on a server and serves multiple tenants. A tenant is a group of users who share a common access with specific privileges to the software instance. With a multitenant architecture, a software application is designed to provide every tenant a dedicated share of the instance - including its data, configuration, user management, tenant individual functionality and non-functional properties. Multitenancy contrasts with multi-instance architectures, where separate software instances operate on behalf of different tenants. By giving companies, access to a tenant through a subdomain of choice, will help to personalise the experience more and gives a sense of ownership to each tenant. This will go along way to bring consistency in there branding.
Implementing Route Constraint
You use route constraints to restrict the browser requests that match a partic…

How to do partial update for HTTP APIs in ASP.NET CORE MVC with JSON Patch

JSON Patch is a format for describing changes to a JSON document. It can be used to avoid sending a whole document when only a part has changed. When used in combination with the HTTP PATCH method, it allows partial updates for HTTP APIs in a standards compliant way. A JSON Patch document is just a JSON file containing an array of patch operations. The patch operations supported by JSON Patch are “add”, “remove”, “replace”, “move”, “copy” and “test”. The operations are applied in order: if any of them fail then the whole patch operation should abort.
The JSON Patch supports the following operations:
Add - Adds a value to an object or inserts it into an array.Remove -  Removes a value from an object or array. Replace - Replaces a value. Equivalent to a “remove” followed by an “add”. Copy - Copy a value from one location to another within the JSON document. Both from and path are JSON Pointers. Move - Move a value from one location to the other. Both from and path are JSON Pointers. Test - Te…