ASP.NET MVC 3 Security Re-Visited

While presenting at the IPMA, I demonstrated to the 150+ person audience how easy it is to hijack another user’s credentials within an ASP.NET MVC 3 application that hasn’t been vetted for coding-practices. In this article, I will show a video of me re-demonstrating that attack, exactly how to fix it, and post the source-code for everyone to take a look at.

ASP.NET MVC 3 is a new web-development framework that is in its early-stages of development and adoption by the community at large. As such, it warrants some attention to address the new techniques for managing security vulnerabilities. These vulnerabilities aren’t new and they’ve been around in ASP.NET, classic ASP, and pretty much ANY technology you can think of. There is no way that a framework can really protect the software-developer from him/her self.

Case-and-point, as I was working on a project for a client of mine, I realized there was a vulnerability being exposed in the way that I displayed a user’s registration information. Nothing looked inherently amiss at first glance… but when I sat down and thought about it, I realized I had really messed up.

Below is the offending code that I’m referring to.

public ActionResult Edit(int id)
    Models.UserRegistration userReg = _model.UserRegistrations
                                        .Where(i => i.UserRegistrationId == id)
    return View(userReg);

This code is located in the 1 Controller that I have added to the MVC 3 project. What it’s supposed to do is provide the data to the user based on the unique Identifier in the database associated with that user. Now you might be saying to yourself, as I did, “This code looks fine to me. It’s functional, and if you’ve got Windows Integrated security turned on… the user shouldn’t be able to see this page anyway!” In fact, you could even go so far as to say, “Why don’t you just add a line on the method to prevent users that aren’t in the appropriate Role from accessing this code?” There’s a problem with both proposed solutions and summaries… namely… what if I’m already an authenticated user and I’m already a member of an appropriate Role? (This is the case when allowing users to access your Washington State agency web applications through Secure Access Washington or S.A.W.)

The attached video on YouTube describes fully, how this poor coding practice can be exploited by legitimate users of your web application. (** NOTE ** I had to edit out the first 1.1 minutes of the video so that I would not exceed the 15 minute limit imposed by YouTube!)

The video does a pretty good job explaining how to fix the code problem and why you shouldn’t just stop at the ‘Read-Only’ screens that users commonly access and assume that an Http-Post of your data to a web-server is difficult for an amateur to hack. Tools like Fiddler2 make it extremely EASY to exploit poor application coding practices.

Here is the code for the PRE hack-proofed example.

And here is the codde for the POST hack-proofed example. (i.e. Fixed)

3 Responses to ASP.NET MVC 3 Security Re-Visited

  1. Chad Stoker says:

    Hmmm… great feedback. I’m thinking I’ll do a blog-post about how to subscribe to our blog as an RSS feed. I’ll also check into implementing a direct email to those who subscribe. Should be simple enough.

  2. Thanks for another awesome post. I am quite sure this article has helped me save many hours of reading other similar posts just to find what I was looking for. Keep up the good work: Thank you!

  3. Anastasia says:

    This is certainly a thing I must find more information about, thank you for the posting.

Our Capabilities Include:

Custom Software Development
Enterprise Architecture
Project Management
Systems Analysis
Performance Testing


These methods are vital to our work:

Agile Methodology
Test-Driven Development


About CodeSmart, Inc.

CodeSmart has been locally owned and operated in the Olympia, WA area since 2002. We direct, design, develop and deliver full end-to-end information systems using leading edge Microsoft .Net technologies and recommended best practices.