[Owasp-dotnet] Blog post: ASP.NET MVC – XSS and AutoBind vulns in MVC Example

Steve Sanderson steven at stevensanderson.com
Mon Sep 29 10:43:37 EDT 2008 

Hi there

MSDN aren't completely up-to-date with the latest CTP releases, so I
wouldn't expect to find this guidance on there. Once ASP.NET MVC gets to RTM
there will be a lot more resources about it, on MSDN, third-party books,
etc, so it will certainly be covered many times over. The reason they
changed to forcing the developer to specify a property list is because
they're aware of this issue.

As for the date of the RTM, unfortunately I don't know anything exact (as
much as I wish I did).
http://www.codeplex.com/aspnet/Wiki/View.aspx?title=Road%20Map&referringTitle=Homesays
Q4 2008 or Q1 2009.

Regards
Steve


On Mon, Sep 29, 2008 at 3:25 PM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Ok, so apart from the blog post that I just did, is there any other post or
> msdn article on the web that explains that? (i.e. the security implications
> of performing the autobinding of all parameters into the assigned class)
>
> On the RTM, do you know the date it is going to happen?
>
> Dinis
>
> 2008/9/29 Steve Sanderson <steven at stevensanderson.com>
>
> Hi Dinis
>>
>> Yes, it is possible to pass Request.Form.AllKeys to update "all
>> properties" on a model object. Microsoft won't encourage developers to do
>> that, though some people on the asp.net forums might do. It's
>> "convenient", but in general it's a very bad idea because of the security
>> issues that you've cited. You're right to warn people not to do that unless
>> they really want to expose all properties as writeable.
>>
>> I don't expect the RTM will change this behavior, though I don't know for
>> sure.
>>
>> Regards
>> Steve
>>
>>
>>
>>
>> On Sun, Sep 28, 2008 at 11:30 PM, dinis cruz <dinis.cruz at owasp.org>wrote:
>>
>>> Thanks,
>>>
>>> Questiion, In P5 is it still possible to perform autobinding of form
>>> fields into complete objects?
>>>
>>> The example in this post (http://forums.asp.net/t/1312966.aspx) seems to
>>> imply that:*
>>>
>>> *
>>>
>>> *BindingHelperExtensions.UpdateFrom(mymodel, Request.Form);*
>>>
>>> *with*
>>>
>>> *UpdateModel(mymodel, Request.Form.AllKeys); *
>>> Also from your comments, it seems that P5 is backward compatibles (since
>>> (it sounds like) the insecure examples still work there).
>>>
>>> Do you know if RTM will change this?
>>>
>>> Note that if the backward compatible default behavior is allowed, I can
>>> see a lot of people using it (since it is very convenient)
>>>
>>> Dinis
>>>
>>> 2008/9/28 Steve Sanderson <steven at stevensanderson.com>
>>>
>>> Hi there
>>>>
>>>> If you update to Preview 5, you'll find that "BindingHelperExtensions"
>>>> is gone, and in its place is a method on the Controller base class called
>>>> UpdateModel. All the overloads of this method require the programmer to pass
>>>> a list of model properties that are updateable. That's what I meant by the
>>>> "explicit list".
>>>>
>>>> Unfortunately since ASP.NET MVC isn't yet released (it's still
>>>> pre-beta) there's a shortage of good examples on the net. Even the examples
>>>> you do find will mostly relate to older and now deprecated CTP releases
>>>> (such as the "Updated Northwind demo" that you used) so aren't especially
>>>> useful if you're scouting for potential vulnerabilities. If you wait until
>>>> RTM, there'll be a whole stack of books and training resources becoming
>>>> available.
>>>>
>>>> To answer the questions in your Word doc:
>>>>
>>>> -    Where is the ViewState?  It looks like they dropped and in this
>>>> case it would prevent this from being exploited
>>>>
>>>> Yes, ViewState is gone, because that's an aspect of WebForms server
>>>> controls and is no longer relevant in ASP.NET MVC.
>>>>
>>>> -    What about PageValidation?  is that also disabled? (that allows XSS
>>>> payloads on the way in)
>>>>
>>>> By PageValidation, do you mean "Request Validation" (i.e., <%@Page
>>>> Validate="true" %>)? If so, that's gone too - it was always a bad way of
>>>> dealing with XSS, and the ASP.NET MVC team has thankfully demoted it.
>>>> Request Validation just confuses developers and leads them to produce
>>>> insecure sites - ASP.NET MVC recognizes that the only sensible and
>>>> robust way to prevent XSS is to make sure your outputs are HTML-encoded.
>>>>
>>>> Regards
>>>> Steve
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, Sep 28, 2008 at 10:43 AM, dinis cruz <dinis.cruz at owasp.org>wrote:
>>>>
>>>>> Hi Steve
>>>>>
>>>>> Thanks for the answers, do you know where I can find more information
>>>>> about this 'explicit list of parameters to update'?
>>>>>
>>>>> Also what is a good source of ASP.NET MVC examples?
>>>>>
>>>>> Dinis
>>>>>
>>>>> 2008/9/28 Steve Sanderson <steven at stevensanderson.co.uk>
>>>>>
>>>>> Hi Dinis
>>>>>>
>>>>>> Thanks for your analysis - it's interesting. However there are a
>>>>>> couple of points that mitigate the attack vectors you describe:
>>>>>>
>>>>>> [1] For the "changing arbitrary model properties" vuln ("AutoBind"),
>>>>>> as of Preview 5, the programmer is required to specify an explicit list of
>>>>>> parameters to update. So this vulnerability does not exist in the latest
>>>>>> preview.
>>>>>>
>>>>>> [2] For the XSS issue, you're absolutely right that user input can be
>>>>>> returned unencoded by default, but the advice is always to escape your
>>>>>> outputs. So an MVC programmer would never write <%= some user-supplied data
>>>>>> %> - we would always write <%= Html.Encode(some user-supplied data) %>
>>>>>> instead. That's the official guidance anyway. For more about this, see
>>>>>> http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
>>>>>>
>>>>>> I'm currently writing a book about ASP.NET MVC and have a chapter on
>>>>>> security issues, so if you have any other ideas about potential
>>>>>> vulnerabilities I'd be pleased to hear about them.
>>>>>>
>>>>>> Cheers
>>>>>> Steve
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sun, Sep 28, 2008 at 6:52 AM, dinis cruz <dinis.cruz at owasp.org>wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>>
>>>>>>> I just blogged about a couple issues I discovered on ASP.NET MVC
>>>>>>> (release 4 I think),
>>>>>>> http://diniscruz.blogspot.com/2008/09/aspnet-mvc-xss-and-autobind-vulns-in.html
>>>>>>>
>>>>>>> Am I missing something obvious or is is really how this is supposed
>>>>>>> to behave?
>>>>>>>
>>>>>>> Dinis
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-dotnet mailing list
>>>>>>> Owasp-dotnet at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-dotnet/attachments/20080929/51a106b7/attachment.html

More information about the Owasp-dotnet mailing list