Security consideration when passing data through Ajax request in ASP.NET MVC

Note: Current blog-post is old. You can find latest/new blog post here:

ASP.NET MVC security and hacking: Defense-in-depth

Always be careful when passing data through JSON request because data will be visible to end user and in some cases, secure data can be exposed to end user.

  return Json(new dtweetDataContext().Users);

Above statement is passing the records of all users including users’ passwords.

“User” is a LINQ-to-SQL entity class as shown here:

public partial class User
  public string UserName    { get; set; }
  public string FullName    { get; set; }
  public string Password    { get; set; }
  public string Email       { get; set; }

Figure shows what happened and how secure data is visible to end user:


The best way is to pass a few fields of records by using IQueryable<type>.Select(..) extension method as shown here:

return Json(new dtweetDataContext().Users
     .Select(u => new { u.UserName, u.FullName }));

Now I am passing just two fields instead of whole user object:

  1. User name
  2. Full name

Figure shows that now our secure data is protected and also we reduced the size of JSON response:


Always know what’s happening behind the scene when you build something.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s