1. Tightly binding your model(Part of a series on ASP.NET MVC Security)
Barry Dorrans
MVP Developer Security

2. Introduction
The ModelA class that encapsulates data and represents a business entity, for example an Order.
The ViewThe user interface into an application.
The ControllerManages communication between the UI and the model.
3. Binding
Binding takes input from a view and applies it to a model.
For example
A view contains a field called PostCode
The model has a public get/set property called PostCode
Binding uses the PostCode property on the model to render onto the view and takes the returned PostCode input value and sets the property on the Model.
4. The Problem
What if I add a field during form submission that has a property name matching that of the model? ....
5. The Solution - FormDataCollection
If your actions take FromDataCollections pass a string array of allowed bindable property names e.g.UpdateModel(boardPost, new[]{"Title","Content","Rating"});
6. The Solution Model Actions
If your actions take an instance of a model object then set the bind attribute in your method definition e.g.[AcceptVerbs(HttpVerbs.Post)]public ActionResult Edit([Bind(Include = "Title,Content")]BoardPostboardPost)
7. The Solution Model Based
You can also apply the Bind attribute to your model classes but this applies to all binding calls, which can be limiting.[Bind(Include="Title,Content")]public class BoardPosting{}
8. The Solution General
Create a view specific model which has protected properties which are not bindable.
Or be really nasty and create a custom binder. Propeller hats needed.
You can also exclude rather than include white listing is more secureExcludes may be suitable for model level restrictions.