.NET Tips and Tricksby Peter Vogel

Blog archive

Why Rejection Prevents Zombies in ASP.NET Core

If you're looking for some interesting reading, try this article by Paulo Gomes on hacking ASP.NET (actually, try googling “Hacking ASP.NET” for a bunch of interesting articles). Paulo's article specifically discusses how an innocent Web application can be used to turn your organization's server into some hacker's puppet/zombie.

One part of the article talks about how creating a zombie requires that a malicious payload be uploaded to the ASP.NET site. As Paulo points out, there is a way to avoid this: “General advice is to reject any malformed input” ... which is where the ApiController attribute comes in.

When you create a Web service in ASP.NET Core, you have the option of applying the ApiController attribute to your service controllers. With that attribute in place, when model binding finds mismatches between the data sent to your service and the parameters passed to your service methods, ASP.NET automatically returns a 400 (Bad Request) status code and doesn't invoke your method. Therefore, there's no point inside a Web Service method to check the ModelState IsValid property because if the code inside your method is executing then IsValid will be true.

You can turn that feature off by omitting the ApiController attribute. But, as Paulo points out, you don't want to: The ApiController method is doing exactly what you want by ensuring that you only accept data that is, at least, well-formed. This won't protect you against every hack, of course, but it's a very good start.

Posted by Peter Vogel on 10/22/2019


comments powered by Disqus

Featured

  • Azure Vibe Coding for the Enterprise Masses: Microsoft Partners with Replit

    Replit has partnered with Microsoft to bring its AI-powered, natural language coding platform to Azure, enabling enterprise workers to build and deploy software without writing code—marking a major step toward agentic, no-code application development at scale.

  • GitHub Copilot Swamps Gemini Code Assist, Amazon Q Among Engineers, AI Coding Survey Says

    GitHub Copilot tops a new AI coding survey, outpacing rivals as devs embrace tools, vibe coding, and productivity gains.

  • Agents Now Conduct 'Deep Research' in Azure AI Foundry Limited Preview

    Microsoft has brought OpenAI's Deep Research model to Azure AI Foundry, giving developers API and SDK access to autonomous research agents that gather, analyze, and report on web-scale data. Now in public preview, the capability powers enterprise workflows with reasoning-grade intelligence and programmable orchestration.

  • Linear Regression Using JavaScript

    Dr. James McCaffrey presents a complete end-to-end demonstration of linear regression using JavaScript. Linear regression is the simplest machine learning technique to predict a single numeric value, and a good way to establish baseline results for comparison with other more sophisticated regression techniques.

  • Creating Simple Chat Bots with Microsoft Fabric Datastores

    At Visual Studio Live! San Diego, Ginger Grant of Desert Isle Group will lead a practical, demo-driven session on how to build simple yet powerful chatbots using Microsoft Fabric lakehouses and warehouses. Attendees will learn how to use AI skills and grounding techniques to enable conversational data access -- quickly and cost-effectively. Ideal for developers ready to extend analytics with conversational interfaces.

Most   Popular

Subscribe on YouTube