Let's use an example where you have a SQL table with Date_Created and Date_Updated columns. You also have a file in your MVC application at /Views/App/Edit, which produces a web page such as www.example.com/App/Edit/1. When submitting an update, only the Date_Updated column should be updated. One way to accomplish this is to use the HiddenFor HTML helper.
@Html.HiddenFor(model => model.Date_Created)
Because the Date_Created field is hidden, we cannot view or update the data in Date_Created when navigating to www.example.com/App/Edit/1. If we view the source of the web page, we should see something like this:
<input id="Date_Created" name="Date_Created" type="hidden" value="2016-01-01" />
However, using Fiddler, we will be able to update the Date_Created data in the database. You can download and install Fiddler from https://www.telerik.com/download/fiddler.
- Launch Fiddler.
- In your MVC application, edit and save a record at your www.example.com/App/Edit/1 page.
- In the left panel of Fiddler, highlight the capture that has www.example.com/App/Edit/1.
- In the right panel of Fiddler, select the Composer tab.
- Drag the www.example.com/App/Edit/1 capture onto the right panel.
- In the Request Body area, replace Date_Created=2016-01-01 with Date_Created=1999-01-01.
- Select Execute.
Now, if we return to www.example.com/App/Details/1, Date_Created will display 1999-01-01. While kind of an innocent example when thinking about Date Created, this at least demonstrates a vulnerability when using the HiddenFor HTML helper. This vulnerability can be mitigated by excluding Bind properties.
In the /Controllers/ExampleController file in your MVC application, locate the public ActionResult Edit section, and modify this section to exclude the Date_Created column, replacing table_name with the name of your SQL table.
public ActionResult Edit([Bind(Exclude = "Date_Created")] Table_name table_name)
Now, if we view the page source, there is no markup for the Date_Created column. Also, Fiddler is unable to modify the Date Created data.