How to secure are MVC RESTful Urls from Hacking?

Question

I read an interesting article recently on the CitiGroup Hacking incident http://www.nytimes.com/2011/06/14/technology/14security.html?_r=2&pagewanted=1&ref=technology

This got me thinking, say I have a table of sensitive Employee data in my database with 100,000 rows. The table has a Primary Key called Id, which is an Identity column.

The Employee can log in to the Web Portal and his details are retrieved via a RESTful Url ({Controller}/{Action}/{Id}) e.g. /Employee/Details/31

Now, what's to stop me substituting the {Id} parameter for any parameter (e.g. Id = 32) and retrieving details for Employee #32? Is this what happened with CitiGroup?

How do you prevent this? i.e. where the User has already been Authenticated on the Web Portal but is not Authorized to view other users records? Should I use some other specific 'token' for the customer in addition to the Id ?

Just to add to this I have implemented a custom Membership API and this works fine i.e. the Employee logs in using FormsAuthentication and a FormsAuthentication Ticket (Cookie) is created. I then check if the Employee is in Roles, IsAuthenticated, etc. in order to grant permissions to Controllers & Actions. But ... this still doesn't prevent access to Data that doesn't belong to him i.e. because I am Authorized & Authenticated to access /Employee/Details I can still substitute any (guessed) EmployeeId? — Click Ahead, Jun 15 '11 at 17:04
you could also encrypt and decrypt all the Ids that you use in your urls in a way that if somebody would send his url to someone via skype the other one would be able to use it — Omu, Jun 15 '11 at 19:03

score 3 · Accepted Answer · answered Jun 15 '11 at 16:42

3

This is what I did for exactly the same situation, first I declared an extension to the object:

public static bool Editable(this EXPENSE_OBJ e)
{
    if (e != null)
    {
       UserRepository ur = new UserRepository();

       if (ur.CurrentUser().UserId == e.UserId) //Check if the user owns the claim
       {
           return true; //User owns the claim
       }
       else
       {
           return false; //User does not own the claim
       }

    }
}

And then in the controller:

public ActionResult Details(id)
{
    var item = repo.GetItem(id);
    if(!item.Editable())
    {
         return View("InvalidURL");
    }

    ...

}

answered Jun 15 '11 at 16:42

Chris

3,191
4
22
37

Hi Chris, lets say the Employee belongs to a Company and to retrieve the Company details I call /Company/Details/101 i.e. again it's a RESTful Url for the Company Details. In this instance I guess I would also need to pass in the UserId and check if the User belongs to the Company he is retrieving at the database level? – Click Ahead Jun 15 '11 at 17:01
+1 this is broadly similar to the approach that i take. my checking object is extended a little in that it allows admin role users to also view/modify the 'user' object – jim tollan Jun 15 '11 at 17:29
Exactly, though personally I have implemented a ur.CurrentUser() so I never have to pass through the userid. – Chris Jun 16 '11 at 08:35

score 0 · Answer 2 · answered Jun 15 '11 at 16:40

0

You will want to utilize the ASP.NET Roles and Membership API. If you are already doing that then all you need to do to start is mark controller with a IsUserInRole check. You can find more information about the Roles Class here:

MSDN Roles Class

answered Jun 15 '11 at 16:40

BentOnCoding

27,307
14
64
92

Hi Robert, I've already implemented my own Membership & Roles API and this works fine i.e. my app. is Authenticated and then he is Authorised to access the Action. But, the User then uses the Action to retrieve a different set of data from the database. I need to secure access to only his data. Does that make sense? – Click Ahead Jun 15 '11 at 16:56

score 0 · Answer 3 · answered Jun 15 '11 at 17:04

I use a many-to-many table that holds a relationship between the user and the ID of the entities they are allowed to modify. Every time anyone attempts to change one of those entities, I do a check to make sure that they are allowed to do it. I also put a trigger on the table that holds the entities that will delete associated records in that many-to-many table whenever an entity is deleted. This has worked out quite well for me.

Another thing you could do is use a Guid instead of an int for your primary key. That will prevent people from guessing the primary key.

How to secure are MVC RESTful Urls from Hacking?

3 Answers3