I am working in website project in visual studio 2012. Here I have a web method which is taking single parameter. This method get called from AutoCompleteExtender control. Below is the code of it:
<asp:TextBox ID="txtsearch" runat="server" CssClass="form-control setvaluework" MaxLength="4000" />
<ajx:AutoCompleteExtender ID="AutoCompleteExtender1" runat="server" TargetControlID="txtsearch" ServicePath="SearchWebService.asmx" ServiceMethod="GetWorsList"
MinimumPrefixLength="1" CompletionSetCount="20" CompletionInterval="0" EnableCaching="true" CompletionListElementID="autocompleteList" >
</ajx:AutoCompleteExtender>`
"GetWorsList" is defined as follows:
[WebMethod]
public List<string> GetWorsList(string prefixText)
{
List<string> workNames = null;
if (Validations.ValidWorkNoAjax(prefixText) == false)
{
return workNames;
}
else
{
if (con.State == ConnectionState.Closed)
{
con.Open();
}
System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("", con);
cmd.Parameters.Add("@prefixText", SqlDbType.VarChar, 500).Value = "%" + prefixText + "%";
/*Some Code*/
return workNames;
}
}
I am working to protect this method from API Mass Assignment. In an audit scan this method gets exploited.When a POST request was made in a test scan following payload was used:
{
"prefixText": "WL",
"count": 20,
"is_admin": true,
"is_sso": true,
"role": "admin"
}
and it returns 200 OK status, which should not be the case because function is taking only single input as prefixText.
I have searched regarding this and found that I have to
avoid using functions that automatically bind client's input to code variables or internal objects.If applicable, explicitly define and enforce schema's for the input data payloads.
To achieve this I tried following:
public object GetWorsList(string prefixText)
{
var requestStrings = HttpContext.Current.Request.QueryString;
foreach (var item in requestStrings.AllKeys)
{
if (!item.Contains("prefixText") && !item.Contains("count"))
{
return BadRequest("Invalid Request");
}
}
}
I created a whitelist of parameters which will be accepted. If any other parameter is added by the attacker then this method will return the BadRequest. But again in a POST request this method is not working i.e. I am not getting BadRequest. I tested this in postman using following details:
http://localhost:6949/ewbms_bb/SearchWebService.asmx/GetWorsList in POST request
The payload I sent is :
{
"prefixText": "WL",
"count": 20,
"is_admin": true,
"is_sso": true,
"role": "admin"
}
Using the above payload the method should return BadRequest, but it is giving status code 200 OK.
I also tried creating a separate class like this:
public class WorkSearchModel
{
public string prefixText { get; set; }
public int Count { get; set; }
}
and used WorkSearchModel as my method parameter. When I test this using postman and also in localhost, I get the error : There was an error processing the request.
Through my search on internet, I found that 'API Mass Assignment' is properly handled in Asp.Net Core, but in webform/website project I found no such result. Please give guidance.