{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Fickle 薄情 的问题《HP Fortify - Mass assignment》','https://www.manongdao.com/q-822109.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
HP fortify scan gives me a message as Mass Assignment: Insecure Binder Configuration ( API Abuse, Structural ) for most of the Action Methods in my controller. Below is the example of the action method.
<HttpPost>
Function Edit(model as GridViewModel)
Dim manager as new Managers
manager.Edit(model.id, model.name, model.desc,model.class)
Return Nothing
End Function
When I tried following method the error was gone.
<HttpPost>
Function Edit(id as integer?,name as string, desc as string, class as string)
Dim manager as new Managers
manager.Edit(id, name, desc,class)
Return Nothing
End Function
But above code seems to be MVC bad practices. Please do suggest a method to overcome this issue.
In C#, you can specify which items in the model will be allowed in. For example, your routine would look like this in c#:
This should at least give you a jumping point to research the language you are writing in to see if they allow the same action.
In addition to being able to include specific parameters (whitelisting) you can also exclude parameters simply by using [Bind(Exclude = "")]