asp.net mvc - Most effective method of protecting an entity ID when posting back from a view -

-

edit - quick edit, start off clear question! i'm asking is, effective way of protecting entity identifiers when posting view?

i've been thinking ways protect id on post when editing view model. let's take example entity

public class post {     public int id { get; set; }     public string title { get; set; }     public string content { get; set; } }

and corresponding view model:

public class postviewmodel {     public int id { get; set; }     public string title { get; set; }     public string content { get; set; } }

now, when pass view model view allows user edit it, i'm going doing this:

public actionresult editpost(postviewmodel viewmodel) {     post post = database.posts.single(p => p.id.equals(viewmodel.id));     post.title = viewmodel.title;     post.content = viewmodel.content;     database.entry(post).state = system.data.entitystate.modified;     database.savechanges();      return view(viewmodel); }

or maybe pass id through parameter list this:

public actionresult editpost(int postid, postviewmodel viewmodel) {     post post = database.posts.single(p => p.id.equals(postid));     // , rest }

either way, need return identifier entity we're updating along post data. how make sure entity updated 1 intended?

i suppose validate whether user has sufficient access update entity... if user's account becomes compromised, , random hacker starts injecting random ids using account? updating sorts of posts @ random.

having complex (like guid) identifier recommended entities, make guessing lot harder, makes nice , friendly urls bit intimidating average user, having pass around when viewing post example.

how best of both worlds here? keeping clean urls, protecting our entities injection attacks?

this direct reference attack, , according oswap recommendations, can either

  • obfuscate id swapping guid , holding mapping in memory/session
  • hold reference item in session , make sure same comes back

the way tackle attribute, haven't code hand need like

decorate action attribute on gets, attribute clears item list session pull item db store items id in session item  decorate post action attribute     attribute makes sure modelstate valid first (saves double validating) attribute looks in session id attribute checks id against stored value if id matches, action can continue if id doesn't match, entry made in modelstate

using sort of methodolgy, can protect against fiddling ids in tools burpsuite or using console mode of browser flip hidden fields.

also, starter process, ensure item doesnt blindly db, first ensures person can item, ie. belongs datasets etc etc


Popular posts from this blog

How to calculate SNR of signals in MATLAB? -

-
i've encountered simple, yet fundamental problem on calculating snr: there several signals : s1 = original , pure clean signal without noise. n1 = white gaussian noise going added s1. s2 = s1 + n1 (the noisy signal before performing noise-reduction algorithm) s3 = noise-reduced signal (after performing noise reduction algorithm) n2 = s3 - s1 (the amount of noise after performing noise-reduction algorithm) now want compare snr before , after performing noise-reduction algorithm. which signals should consider snr_before!? s1/n1 or s2/n1 ? which signals should consider snr_after!? s3/n1 or s3/n2 ? which commands or functions should use in matlab in order compute snr_before , snr_after? thanks billion putting time on helping me. what know calculating snr before : snrbeforenoise = mean( signal .^ 2 ) / mean( noise .^ 2 ); and snr after : residual_noise = signal - noise_reduced_signal; snr_after = mean( signal .^ 2 ) / mean( residual_noise .^ 2...
Read more

c# - Attempting to upload to FTP: System.Net.WebException: System error -

-
i have api takes in xml , uploads files based on information in xml. uploads on schedule (also xml), , have tested surrounding , know works. i getting error 40% of time on first file attempt upload in each time cycle (time cycle = 45 minutes files, 30 minutes others). here code upload: try { loggerftp.log("uploading file: " + filename, false); // create request. ftpwebrequest request = (ftpwebrequest)webrequest.create(appsettingsftp.ftpurl + @"/" + filename); request.method = webrequestmethods.ftp.uploadfile; request.timeout = 6000000; //set 100 minutes //request.timeout = -1; //set infinite // add login credentials. request.credentials = new networkcredential(appsettingsftp.ftplogin, appsettingsftp.ftppassword); // grab file contents. streamreader sourcestream = new streamreader(appsettingsftp.uploadfiledirectory + filename); byte[] filecontents = encoding.utf8.getbytes(sourcestream.readtoend()); sourcest...
Read more

ios - UISlider customization: how to properly add shadow to custom knob image -

-
Image
i need place custom knob image shadow uislider. far have image of 38x38, of there region defines shadow of knob. now while using image, when slide knob extreme ends actual knob not able cover end points, hence end points visible under transparent region of knob image this code using customize uislider uiimage *slidebtimg = [uiimage imagenamed:sliderknobimg]; [self.ratingslider setthumbimage:slidebtimg forstate:uicontrolstatenormal]; [self.ratingslider setthumbimage:slidebtimg forstate:uicontrolstatehighlighted]; how can implement custom knob shadow beneath it, covering end points?? look inside uislider.h , there methods let customize slider knob , track needed. (ios 2.0 , above) // lets subclass lay out track , thumb needed - (cgrect)minimumvalueimagerectforbounds:(cgrect)bounds; - (cgrect)maximumvalueimagerectforbounds:(cgrect)bounds; - (cgrect)trackrectforbounds:(cgrect)bounds; - (cgrect)thumbrectforbounds:(cgrect)bounds trackrect:(cgrect)rect value:...
Read more