0

I was wondering if it is safe to call a controller action from a javascript file and pass (say sensitive) parameters to it.

Say that the end-user makes a bet on something, and then the value of the bet will be sent to a controller action.

The bet itself is typed into a textbox on the page and javascript sends that value as a parameter to the action on a button click event.

Before the action is called, can the user manipulate his/her bet value AFTER clicking the button?

Thanks

Improve this question
2
  • Can it be manipulated? yes Commented Aug 10, 2017 at 11:23
  • He can just type a different value into the textbox in the first place. Where is the difference? Commented Aug 10, 2017 at 11:58

3 Answers 3

Reset to default
1

It can be manipulated but there should be no problem as long as you're not going to send e.g. a price to the controller which will be processed.

Think about that: Someone orders a pizza and the price of the pizza is sent from javascript to the controller. This is not a good way cause the price can be set to 0 and you get no money. In this case you will pass the ID or the name of the pizza to the controller and get the price from a database.

In your case it's not a problem cause there is no difference if he types 10 and then manipulates it to 20 or if he directly types 20. In both cases you'll get the number of 20.

If you're processing all data in your controller you should be safe. If you pass data to the controller check if it's a problem if it's not the value the user typed in.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for that explanation and example. Got it ;-)
1

Most of the modern websites today are heavily javascript driven, so yes, it is safe to call a controller action from a javascript file. But you'll have to make sure that you have certain security measures in place.

  1. HTTP over SSL. (To encrypt sensitive date & prevent Man-in-middle attacks)
  2. Antiforgery tokens (To prevent Cross site request forgery)
  3. Always validate the client inputs. Make sure you have server side validations in place (Data annotations etc) and the model state is valid (ModelState.IsValid) before you perform any operations.
  4. I know asp.net mvc has some level of built-in protection against Cross site scripting attacks, but make sure that the client input is always HTML encoded, if you're displaying them back to the webpage.
Improve this answer

Comments

0

I was wondering if it is safe to call a controller action from a javascript file and pass (say sensitive) parameters to it.

"Save" in terms of...? If the connection is SSL, you can certainly assume that the values will be safely transferred from client to server. But "safe" in terms of stability depends on your application.

Can the parameters be manipulated before sent to the controller?

Certainly. But in what way are the parameters "sensitive"? There isn't really anything you could send from client to server without the client/user knowing about it.

Improve this answer

1 Comment

Edited my question. Thanks for the answer though

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.