The ASP.NET Core Web API solution that we build went through the fortify scan and below are couple of distinct issues reported (out of 50):
1. Mass Assignment: Insecure Binder Configuration (High Priority)
public class CreateRequestModel
{
public string Name { get; set; } = default!;
public string User { get; set; } = default!;
}
This model is being passed as an input to a post controller action:
[HttpPost]
public async Task<IActionResult> Create(CreateRequestModel model)
{
bool status = await _service.Create(model);
return Ok(status);
}
2. ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation (Low Priority)
This is being reported for the same controller action method (on line 1):
[HttpPost]
public async Task<IActionResult> Create(CreateRequestModel model)
{
bool status = await _service.Create(model);
return Ok(status);
}
May I know what is the solution to fix this?
I tried to research myself but did not get any lead. All links are pointing to ASP.NET Core MVC application fixes. Ours is pure Web API and we do not return any views.
Please suggest.
Solution for Issue 1:
[Bind(nameof(Name), nameof(User))]
public class CreateRequestModel
{
public string Name { get; set; } = default!;
public string User { get; set; } = default!;
}
Since Issue 2 is low priority, I have suppressed that for now. I will update the answer in case I find a solution for the same