Project Description
This project attempts to bridge a gap between web forms and mvc handling of storing secure values on a page.

Web Forms has Event Validation, which prevents someone from changing a hidden textbox. This was both good and bad. It helped to prevent someone from tampering with the value, but also prevented client side script from legitimately changing a value.

These security extensions for MVC allow you to encrypt a key field on a page using asymmetric encryption that is used then to compare against a text field on the page to prevent tampering.


This helps remedy a common oversight by MVC developers where we bind a model on a page and emit a hidden input box with a key, such as CustomerId.
Imagine :
@Html.EditorFor(o=>o.CustomerId)

What happens when the end user (ie hacker) changes this value?

If the end user tampers with this CustomerId, they can then overwrite some other record in the database.

This project encrypts the id so upon postback, a verification is done to ensure the value hasn't been tampered with to provide an additional level of protection.

For usage - on your Controller's post action method add the attribute and the key name, such as:
[ValidateAntiModelInjectionAttribute("CustomerId")]

And then in your view inside of the form add
@Html.AntiModelInjectionFor(o => o.CustomerId)

Thats it! The validation then happens automatically. Since the MachineKey is used, if you use this in a web farm please ensure to have machine keys syncd between your web farm machines so encryption on Server A will not fail when decrypted on Server B.


Last edited Dec 3, 2011 at 12:31 AM by adamtuliper, version 2