ASP.NET MVC Delete action

As part of my learning experience with the new version of ASP.NET MVC I was trying to figure out a good way to be able to delete an object and then refreshing the parent page with the updated information. What I have found out is something more significant. My initial thought was I can just use a normal call:

  <%= Html.ActionLink(“Delete”,”Delete”,”Person”, new { Id = 1},null) %> 

to delete my object that I no longer needed. However what I found out is that there is a potential security flaw associated with deleting objects using this paradigm.
The issue that one might not realize is that they are potentially allowing any person to simply invoke the URL which looks like this:

This might seem fine at first and some people might argue that as long as you have security established on your site then you are fine. However what if someone persists their security cookie and then the attacker will use that users cookie token to invoke the deletion of the person object by putting a link such as:

<img src=”” />

At first it all seems harmless however because of the way that the browsers typically deal with “img” tags it will automatically try to download the link that is provided in the “src” attribute of the image tag. This will invoke the deletion of the person object because the user is already authenticated to the website.

So how does one avoid this issue. It is actually pretty simple, all you have to do is to make sure that you mark your Action in the controller with the [HttpPost] attribute which will force the ASP.NET MVC framework will return back an error for the given image download request which is not visible to the user however it will prevent the action from executing. So in order to utilize the new action that is now marked with [HttpPost] is to create a form on the page and submit it with either a submit button or a javascript call to invoke the form.submit() function.

Categories: Security Tags: ,