Attention: We are retiring the ASP.NET Community Blogs. Learn more >

Contents tagged with Model Binder

  • Security Issue in ASP.NET MVC3 JsonValueProviderFactory

        Introduction:

              Model binding(a mechanism for mapping action method parameters with request data), is one of the most popular feature of ASP.NET MVC. The default model binder get its data from different value providers. In ASP.NET MVC 2, by default, these value providers include FormValueProvider, QueryStringValueProvider, RouteDataValueProvider and HttpFileCollectionValueProvider. ASP.NET MVC 3 added two additional value providers, ChildActionValueProvider and a value provider for Json. Json value provider makes it very easy to model bind your action method parameters with incoming Json data, but I have found a security issue with this value provider.  In this article, I will show you the security issue regarding Json value provider and also show you how to protect against this security threat.