Overposting

Overposting

  Overposting - I have been asked about ways to prevent overposting by an HR person.  When I asked what they meant by that, they could not elaborate.  Overposting and other terms means multiple things to multiple people.

    I came across an article where someone was responding to overposting and they were referring to it like it was a single term and it was different than my experiences.  The article about overposting was *1*.  They were defining overposting as exposing a public property that is like Secret or Id that someone sees and overwrites on a post event.  The programmers reply to answer with view model or DTO.   Never mind the problem is really a scope problem (Secret should be private) and no one would have seen it or that your Post method should not be written to set/change the Id column.  

    Another overposting happens when:  1) user presses "Save" button after entering but the web page is taking too long to respond and so the user presses the button again to try to ensure it is submitted or 2) in a multi-user environment two clerks are entering data and get the same person's paper form to submit and end up posting the data twice.  The real fix for these two scenarios is to be idempotent (ie. rather than insert twice and create duplicate, check to see if exists, if does then update else insert).   

   The overall the core problem is unknowledgeable asking vague checklist questions that determines knowledge or not. 


REFERENCES

*1* = https://stackoverflow.com/questions/41665523/how-can-i-detect-an-overposting-attack-in-asp-mvc-during-model-binding

Comments

Post a Comment

Popular posts from this blog

Upgrading to .NET8 from desktop versions 4.8.X

Image
Upgrade to Latest .NET OVERALL     Problems and differences encountered taking applications from .NET 4.8 desktop to .NET 8 . SUGGESTION    Rebuild the solution and project files from scratch with latest .NET 8. PROBLEMS APIs    On later .NET APIs (post 4.8 desktop), you need to be extra carefully about how the inbound objects are declared.  So if integer in Postman, then must be integer in object.  In older .NET, they accept properties as strings.       Example - Say body in Postman is:          {     "SettingData" : 31000 }    Pretend endpoint method is: [HttpPut("cache/resettimer")] [Produces("application/json")] [ProducesResponseType(typeof(ResetCacheResponse), Status200OK)] public async Task<HttpResponseMessage> MyMethod ([FromBody] InputData input)    Later .NET must be: public class InputData { public int SettingData { get; set; } } ...
Read more

JSON Web Tokens

Image
 JSON Web Tokens (JWT)   A JSON Web Token (JWT) is commonly used for authentication and authorization in web applications and APIs. Essentially, JWTs encode info about a user or entity into a JSON object, which is then digitally signed and/or encrypted.  A JWT consists of three parts, separated by dots (.):  1. Header: Contains metadata about the token, such as the signing algorithm (e.g., HMAC SHA256, RSA SHA256) and the token type (JWT).  2. Payload: Contains the claims, which are statements about an entity (e.g., user ID, role, expiration time).   3. Signature: Verify that the JWT sender is who they claim to be and that the message hasn't been tampered with.  How it works:   Authentication: A user logs in, and the server creates a JWT containing user info and other relevant claims.    Token Transmission: The server sends the JWT to the client (e.g., browser).    Subsequent Requests: The client includes the JWT in the au...
Read more

GHL > Set website so shorter URL address

Image
GHL > Set website so shorter URL address Background:  In GoHighLevel, you can  set a specific page as the default page   for your website or funnel, essentially making it the "index.html" equivalent for your domain. This page will be the first one displayed when someone visits your domain without specifying a specific page path.   Example:      1) GHL > Site > pick your funnel or website > Edit it.       2) Notice where it puts the website:     3) If my  https://aiappointmentbooker.com/  is not working but works when I go to  https://aiappointmentbooker.com/home-page-3213  like above, then you need to fix your index.html by doing these steps. Here's how you can do it: Go to Domains:  In your GoHighLevel account, go to  Settings > Domains . Find and Edit Your Domain:  Find the domain you want to configure and click on the edit icon next to it. Set the Default Page:  Set...
Read more