.NET Tips and Tricks

Blog archive

Why Rejection Prevents Zombies in ASP.NET Core

If you're looking for some interesting reading, try this article by Paulo Gomes on hacking ASP.NET (actually, try googling “Hacking ASP.NET” for a bunch of interesting articles). Paulo's article specifically discusses how an innocent Web application can be used to turn your organization's server into some hacker's puppet/zombie.

One part of the article talks about how creating a zombie requires that a malicious payload be uploaded to the ASP.NET site. As Paulo points out, there is a way to avoid this: “General advice is to reject any malformed input” ... which is where the ApiController attribute comes in.

When you create a Web service in ASP.NET Core, you have the option of applying the ApiController attribute to your service controllers. With that attribute in place, when model binding finds mismatches between the data sent to your service and the parameters passed to your service methods, ASP.NET automatically returns a 400 (Bad Request) status code and doesn't invoke your method. Therefore, there's no point inside a Web Service method to check the ModelState IsValid property because if the code inside your method is executing then IsValid will be true.

You can turn that feature off by omitting the ApiController attribute. But, as Paulo points out, you don't want to: The ApiController method is doing exactly what you want by ensuring that you only accept data that is, at least, well-formed. This won't protect you against every hack, of course, but it's a very good start.

Posted by Peter Vogel on 10/22/2019


comments powered by Disqus

Featured

  • VS Code 1.127 Further Integrates Advanced Browser-AI Tech

    Microsoft's July 1 Visual Studio Code update continues a recent push to make the editor's integrated browser a more capable development surface -- and a more useful tool for AI agents.

  • Support Vector Regression with SGD Training Using C#

    Support vector regression can predict numeric values effectively, and this article shows how to implement and train a kernel SVR model in C# using stochastic sub-gradient descent.

  • New GitHub Switch Limits Repo Issue Creation to Collaborators Only

    After publicly touting pull request limits as a way to cut maintainer noise, GitHub is taking the same idea further with a new setting that lets repository admins restrict issue creation to collaborators only.

  • Uno Platform Helps Ship First Stable SkiaSharp 4.0 Release for 2D .NET Graphics

    SkiaSharp 4.148.0 is the first stable v4 release, bringing a newer Skia engine, API cleanup, performance work and a Microsoft-Uno co-maintenance model.

Subscribe on YouTube