I was trying to find one that had good examples of MVC ModelBinding Vulnerabilities (aka overposting), in a real-world-kinda-way (I have found tons of MVC ModelBinding Vulnerability examples which usually get dismissed with a 'that is not the recommended way to code MVC controllers').
So I think I found a great example (of what not to do) on the Contoso University sample.
This application is explained in detail in this article Creating an Entity Framework Data Model for an ASP.NET MVC Application (1 of 10) and can be downloaded from http://code.msdn.microsoft.com/ASPNET-MVC-Application-b01a9fe8/view/SourceCode (as shown below, you can also get this from the official ASP.NET MVC website)
A quick look at the code showed numerous vulnerable controllers, and in this first (raw) PoC example, we are going to exploit the public ActionResult Edit(int id, FormCollection formCollection, string[] selectedCourses) method from the InstructorController.cs file.
This is what the vulnerable code looks like:
Here is the page that is used to edit an Instructor's details (and the one we will use on the exploit)
Here is the source code of the exploit PoC:
Here is the execution of the code shown above (with a new course on 'Exploit MVC' which was added by the exploit)
This is actually an interesting scenario, specially since the affected controller tries to prevent injection into the Courses field :)
My next series of blog posts will explain how this works, and how it was possible to 'add a new course while editing an Instructor details'
