1

I am developing this in ASP.Net MVC5. Given the following example:

I update all the fields of entity A. Before I post however I change the hidden input field of A's Id, and change it to that of B's Id. Now all my updates are pushed onto B.

Are there any solutions in the .NET framework (similar to anti-forgery token) to prevent this from happening? Or should I implement the hashing method outlined in the following: http://sergeyakopov.com/tamper-proof-hidden-fields-in-asp-net-mvc/

Thanks

Norman Bentley
  • 640
  • 5
  • 20
  • 1
    No, it sounds like you have a multi-user application, so you might need to implement row-level security and authorize every operation. – CodeCaster Jan 18 '16 at 22:05
  • 1
    Another article which discusses the technique is [here](http://blog.slatner.com/2010/01/20/SecuringFormValuesInASPNETMVC.aspx) –  Jan 18 '16 at 22:13
  • Thanks for the input, implemented the technique used in the link I posted. Works like a charm – Norman Bentley Jan 19 '16 at 19:31
  • Essentially you want to validate all inputs server side. There's nothing built in AFAIK. – SilverlightFox Jan 21 '16 at 08:14

1 Answers1

-1

How about using encrypted viewstate? You can store the control variables in viewstate and verify the same on submit. Following document will provide an excellent guide:

https://msdn.microsoft.com/en-us/library/ms178199(v=vs.85).aspx

Edit: My bad, this will not work for MVC, as @SilverlightFox rightly said.

Kartik
  • 1
  • 2