Security consideration when passing data through Ajax request in ASP.NET MVC


Note: Current blog-post is old. You can find latest/new blog post here:

ASP.NET MVC security and hacking: Defense-in-depth

Always be careful when passing data through JSON request because data will be visible to end user and in some cases, secure data can be exposed to end user.

  return Json(new dtweetDataContext().Users);

Above statement is passing the records of all users including users’ passwords.

“User” is a LINQ-to-SQL entity class as shown here:

public partial class User
{
  public string UserName    { get; set; }
  public string FullName    { get; set; }
  public string Password    { get; set; }
  public string Email       { get; set; }
}

Figure shows what happened and how secure data is visible to end user:

img27150

The best way is to pass a few fields of records by using IQueryable<type>.Select(..) extension method as shown here:

return Json(new dtweetDataContext().Users
     .Select(u => new { u.UserName, u.FullName }));

Now I am passing just two fields instead of whole user object:

  1. User name
  2. Full name

Figure shows that now our secure data is protected and also we reduced the size of JSON response:

img04741

Always know what’s happening behind the scene when you build something.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s