-1

I have a controller called Account and an action called AddFunds()

In my HttpGet Addfunds() action I return the view bind to a ViewModel with a AccountId property, so by default the view contains a hidden field called AccountId.

In the HttpPost AddFunds() action, I received the updated ViewModel, with the same AccountID as passed by the HttpGet method, with some other parameters, such as Amount, etc.

What can I do to prevent a person to invoke the method directly passing a fake AccountId?

Does the AntiForgery token prevent this? Any other measure should I take?

As a side question, does passing the AccountID in a hidden field can be avoided or is it necessary to know which entity I am acting upon?

Thanks

IGIT
  • 185
  • 1
  • 10
  • 1
    Instead of describing your code, just post it. – ataravati Oct 03 '15 at 15:30
  • The short answer is you need to compare the passed AccountID to the AccountID for the authenticated user before allowing any kind of changes. However, this is a rather large topic and you should read up on how security works for your asp.net mvc app. Here's a good start http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx – Jasen Oct 03 '15 at 19:01

2 Answers2

0

First thing - you should really avoid using hidden fields for data/IDs, which are about to be passed to the controller's action and represent some real and possibly important data.

If you are concerned about user, who is given the possibility to manipulate ID you should either introduce not deterministic ID(like GUID).

Anti-forgery token is used to prevent performing CSRF attack.

kamil-mrzyglod
  • 4,948
  • 1
  • 20
  • 29
  • Hi @Kamo, the Id in hidden fields is created by default by the scaffolding functionality. How do you a avoid this? What options do we have? – IGIT Oct 04 '15 at 02:22
  • @IGIT You have to provide more detailed info about this functionality. – kamil-mrzyglod Oct 04 '15 at 11:21
0

You can encrypt the Id when you passing the value to post action and decrypt that id in the post method wherever it required.

your url will be : localhost:3040/home/edit?AccountId=hkdshjlk89890-32(encryptedid)

Or you can use base64 encode and decode(I won't recommend base64 because as every one decode the value).

Other solution you can see the below link Only allow access to action if redirected from specific action

Community
  • 1
  • 1
Cherry
  • 675
  • 3
  • 10
  • 28