[Owasp-dotnet] Blog post: ASP.NET MVC – XSS and AutoBind vulns in MVC Example
dinis.cruz at owasp.org
Sun Sep 28 05:43:56 EDT 2008
Thanks for the answers, do you know where I can find more information about
this 'explicit list of parameters to update'?
Also what is a good source of ASP.NET MVC examples?
2008/9/28 Steve Sanderson <steven at stevensanderson.co.uk>
> Hi Dinis
> Thanks for your analysis - it's interesting. However there are a couple of
> points that mitigate the attack vectors you describe:
>  For the "changing arbitrary model properties" vuln ("AutoBind"), as of
> Preview 5, the programmer is required to specify an explicit list of
> parameters to update. So this vulnerability does not exist in the latest
>  For the XSS issue, you're absolutely right that user input can be
> returned unencoded by default, but the advice is always to escape your
> outputs. So an MVC programmer would never write <%= some user-supplied data
> %> - we would always write <%= Html.Encode(some user-supplied data) %>
> instead. That's the official guidance anyway. For more about this, see
> I'm currently writing a book about ASP.NET MVC and have a chapter on
> security issues, so if you have any other ideas about potential
> vulnerabilities I'd be pleased to hear about them.
> On Sun, Sep 28, 2008 at 6:52 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>> Hi guys,
>> I just blogged about a couple issues I discovered on ASP.NET MVC (release
>> 4 I think),
>> Am I missing something obvious or is is really how this is supposed to
>> Owasp-dotnet mailing list
>> Owasp-dotnet at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-dotnet