Felipe M Saboya .NET Developer


Article about the importance of using the feature called AntiForgeryToken that helps us prevent CSRF - Cross-Site Request Forgery attacks.




When developing Web Applications we should be concerned with "information insecurity", yes "insecurity", since the approach to security should assume that nobody is 100% secure if they are connected to the internet, that is, we, professionals who propose to develop and deliver complex and connected products, we must keep in mind all the security features that are offered by the technologies we propose to work on, such as Microsoft's ASP.NET.

That said, I bring my first article on the importance of using the feature called AntiForgeryToken that helps us prevent attacks CSRF - Cross-Site Request Forgery (pronounced C-surf), also know as XSRF.


The Problem


CSRF is an attack that forces an authenticated user into a Web Application to perform unwanted actions on behalf of the user, ie the attack forces the victim's browser to send a request.

For example, you may be logged in to the bank's website and decide to browse another site, and by clicking on some advertisement it performs a "Post" function and transfers your funds, without your noticing, to another account.


The Solution


The solution is very simple because ASP.NET MVC have has since its initial versions the ValidateAntiForgeryToken class attribute, which must be applied in two steps, and this will cause the Web Application to only recognize the action of the currently authenticated user and will reject any another that tries to perform an action for it, in this case, the CSFR attack will be prevented and the Web Application will return the Bad Request error.

1st Step - In the decoration of the class "Post" also adding the ValidateAntiForgeryToken attribute. As shown in the example below.

[HttpPost] [ValidateAntiForgeryToken] public async Task<IActionResult> Edit(TestViewModel viewModel) {     // Your code here! }


2nd Step - Adding the Helper to the View form. This will generate the "Token" to be recognized by the Web Application.

<form asp-controller="Test" asp-action="Edit" method="post">     @Html.AntiForgeryToken() </form>


It will be generated at run time something similar to the input:

<input name="__RequestVerificationToken" type="hidden" value="CfDJ8PIdqkEW0YRGiAj8BeRzSBbihqUysw0OL9LaEmtunQYO_YPhN1jS7YTAhPlsUY0HgD3yc1_ltbFMdcusdHHjQzuQGCrnew-orLK5GjvV_Ar3N-gomVX7UoHFGOjSKqW84rh4xFcDCqVjbOzzd12qOnENuOLbUmpx_jb7mWyJa_5W5dEGL-b6Siqw" />


Additional Solution for ASP.NET Core


In addition, the new ASP.NET Core technology has the ability to apply validation to the entire solution in the Startup class and apply only to state change classes (POST, PUT and DELETE).

OWASP recommends that the verbs listed above (POST, PUT and DELETE) be protected from this type of attack (see references area), so in summary, the implementation helps us to comply with this recommendation and, if is necessary to ignore the validation of the CSRF we can only decorate the class with the IgnoreAntiforgeryToken attribute.

- Complementing the “AddMvc” with the line presented below in your Startup class.

using Microsoft.AspNetCore.Mvc;
public class Startup {     public void ConfigureServices(IServiceCollection services)     {         services.AddMvc(options => { options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()); });     } }




• I suggest that you always use the feature presented in this article;

• I suggest reading the document with a TOP 10 that I found at https://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf, which also mentions other threats to be analyzed and dealt with;

• Analyse the OWASP website in general, because there is information that we simply need to know.


* I take the opportunity to thank those who read my first article and reinforce the idea of my blog, which I intend to bring constant news mainly referring to ASP.NET Core technology, because it is where they are developed/refactoring all my projects. My cordial thank you!

Comments Login?
Leave a comment (just logged in). After review it will be published. Only your name will be displayed.