Veracode has found overpost or mass-assignment flaws (CWE 915) in our MVC portal. Technically, this is true, but I am wondering how much of an effort we would need to put into this, especially since we are already using antiforgery tokens, require SSL, and don't allow our pages to be shown in iframes from a different origin.
In this given example, the MVC request is a post for getting security answers for password recovery. A whole view model is posted to the MVC action. the view model includes the answers, the user's login id, AND the questions (along with page title and a few other things). We validate the answers against the user's answers, and if they are wrong, we redisplay the page with that same view model.
public class ViewModelClassName
{
public string SecurityQuestion1 { get; set; }
public string SecurityAnswer1 { get; set; }
public string SecurityQuestion2 { get; set; }
public string SecurityAnswer2 { get; set; }
public string userId { get; set; }
public string PageTitle { get; set; }
}
[HttpPost, ValidateAntiForgeryToken]
public ActionResult PasswordRecovery(ViewModelClassName model)
{
if (!_service.ValidateAnswers(model))
{
model.ShowSecurityAnswersMustMatchMessage = true;
ModelState.AddModelError("answersdontmatch", Resource.SomeLocalizedErrorMessage);
}
if (ModelState.IsValid)
{
return RedirectToAction("Index", "ChangePassword");
}
return View(model); <--- model isn't getting rebuild, just redisplayed if there are validation errors
}
The ValidateAnswers functions uses the userid value to load the user record, and conpaires the answers in the db to the answers in the view model.
We are not writing this viewmodel to the database. But we DO reshow that view model if the answers aren't correct or there is a another issue with the ModelState.
An attack would need to get a user's antiforgery token, and then mimic one of our forms to post the data. And the result would be to reshow the Online recovery page with possibly the wrong security questions or page title or whatever.
This seems unlikely and esoteric. Do I need to worry about this, or is CWE-915 more focused on blindly updating the database with a object that's posted to a webpage?