In late 2007, Microsoft introduced a preview of the ASP.NET Model-View-Controller (MVC) Framework, which represented a different approach to developing Web applications with ASP .NET. The v1.0 release came in 2009. The MVC framework departs from the event-driven model inherent to Web Forms development, and exposes more of the "rawness" behind HTTP and Web development. As stated in Professional ASP.NET MVC 1.0 by Rob Conery, Scott Hanselman, Phil Haack, and Scott Guthrie (Indianapolis: Wrox, 2009), in doing so, the MVC framework follows these three guiding tenets:

By following these tenets, nothing is hidden or abstracted from the developer. There is no ViewState, no Web controls, and no drag-and drop-designers. MVC allows the developer to concentrate on development, and not on how Web forms implement things in the pipeline or in the controls.

The purpose of this chapter does not enter into a discussion about which approach is best, but rather highlights areas where an ASP.NET MVC developer should pay particular attention to security issues. Not all of these issues are new to ASP.NET MVC. Some you will have already discovered in earlier chapters. But the approaches or solutions to the vulnerabilities and issues are answered in terms and code specific to the MVC framework.

In this chapter, you will build upon your understanding ...