Hi All,
I have developed a web application using MVC 4.5 . I tried making it secure against CSRF attack.
I followed folloing steps:
Added @Html.AntiForgeryToken() in the MVC view
<%
using (Html.BeginForm())
{%>
<%
= @Html.AntiForgeryToken()%>
...content
<%}%>
Decorated Controller method with custom attributeValidateAntiForgeryTokenOnAllPosts
Following is the code for my attribute
public class ValidateAntiForgeryTokenOnAllPosts : AuthorizeAttribute { public override void OnAuthorization(AuthorizationContext filterContext) { var request = filterContext.HttpContext.Request; // Only validate POSTs if (request.HttpMethod == WebRequestMethods.Http.Post) { var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName]; var cookieValue = antiForgeryCookie != null ? antiForgeryCookie.Value : null; try { AntiForgery.Validate(cookieValue, (request.Form)["__RequestVerificationToken"]); } catch (HttpAntiForgeryException ex) { ... throw new System.Exception("Unauthorized access"); } } else throw new System.Exception("Unauthorized access"); } }
Once user logs into the application, every View has a hidden form field_RequestVerificationToken, I observed that the value of the hidden form field__RequestVerificationToken is never equal to the cookie__RequestVerificationTokenvalue
I drafted an HTMl page, added Action and POST parameters to it, added__RequestVerificationToken to it, and opened this drafted HTML page in the same browser in which the authenticated user has logged in. the drafted HTML page was able to execute a controller action, which implies application is vulnerable to CSS. I browsed 3-4 views in the application, noted down __RequestVerificationToken from the hidden form field. Now I added one of these token to the drafted HTML page, and browsed it, the controller action was executed. If I changed the__RequestVerificationToken to some value like '1234', then the request failed.
This implies that token was not getting validated at the server.
<form action="/MyApp/LevelDesign/AddLevel"method="post"><inputname="__RequestVerificationToken"type="hidden"value="OmRqK4F_n9-LnQJ-a4CrL7DiuDOwNz96YuaLLrHDnqGqOXdQInWEYYS6MsEKeQ23Iqx3pYNgIS9veYoTcEAZGpTkKibx9xjyu2_qz9DMjhzSHxvLThHWadNfR1Hhjp8Os7xrAd6vEya4hWZI6CCXifpDm2GlbVSPHcFMRqroxjI1" />
I am always using Ajax POST to execute a controller action. I want that every time I make a request to the server, a new token is generated, and once submitted, the new token should get validated at the server, how can I protect my application from CSRf attacks.
Any help will be appreciated.
Thanks
Shuchi