question

lesponce avatar image
1 Vote"
lesponce asked lesponce commented

How to Prevent Parameter Tampering

How can I prevent parameter tampering in my code below?

     var MyTest = await _context.MyTable.Where(x => x.ID == EmployeeID).ToListAsync();


dotnet-csharpdotnet-aspnet-core-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I assume you are referring to the EmployeeID parameter. Unfortunately, you did not share any code the populates the variable or shows how the variable is passed.

If you are worried about the LINQ query, the query that's generated is a parameter query. The parameter tampering vulnerability would occur else where in your code. For example, user input.

0 Votes 0 ·
karenpayneoregon avatar image
0 Votes"
karenpayneoregon answered lesponce commented

You can create a class like the following

 public class Integer
 {
     public int Id { get; init; }
     public Integer(int id)
     {
         Id = id;
     }
 }

Pass it to a method which can use it but not alter Id property

156068-immutable.png



immutable.png (24.1 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks karenpayneoregon, so the value of EmployeeID is what I have to pass in into the Results method?

This is my code:
var MyTest = await _context.MyTable.Where(x => x.ID == EmployeeID).ToListAsync();

0 Votes 0 ·

Yes, and you can name the class and or property as you see fit e.g.

 public class Integer
 {
     public int EmployeeID { get; init; }
     public Integer(int employeeId)
     {
         EmployeeID = employeeId;
     }
 }

Or

 public class EmployeeData
 {
     public int Id { get; init; }
     public EmployeeData(int employeeId)
     {
         Id = employeeId;
     }
 }
0 Votes 0 ·

Thanks for your help!

0 Votes 0 ·
TomPhillips-1744 avatar image
0 Votes"
TomPhillips-1744 answered

This is a .Net question.

.Net support is on stackoverflow. I suggest you post your question here:

https://stackoverflow.com/questions/43564427/how-to-prevent-the-visitor-from-tampering-with-the-id-field-in-post-action

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.