Quantcast
Channel: Internet Explorer Web Development forum
Viewing all articles
Browse latest Browse all 3527

CSRF RequestVerificationToken not validating at server in MVC 4.5

$
0
0

Hi All,

I have developed a web application using MVC 4.5 . I tried making it secure against CSRF attack.

I followed folloing steps:

Added @Html.AntiForgeryToken() in the MVC view

<%

using (Html.BeginForm())

{%>

<%

= @Html.AntiForgeryToken()%>

...content

<%}%>

Decorated Controller method with custom attributeValidateAntiForgeryTokenOnAllPosts

Following is the code for my attribute

public class ValidateAntiForgeryTokenOnAllPosts : AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {           
            var request = filterContext.HttpContext.Request;
            //  Only validate POSTs    
            if (request.HttpMethod == WebRequestMethods.Http.Post)
            {
                var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
                var cookieValue = antiForgeryCookie != null ? antiForgeryCookie.Value : null;
                try
                {                    
                    AntiForgery.Validate(cookieValue, (request.Form)["__RequestVerificationToken"]);
                }
                catch (HttpAntiForgeryException ex)
                {
                    ...
                    throw new System.Exception("Unauthorized access");
                }        
            }
            else throw new System.Exception("Unauthorized access");
        }
    }

Once user logs into the application, every View has a hidden form field_RequestVerificationToken, I observed that the value of the hidden form field__RequestVerificationToken is never equal to the cookie__RequestVerificationTokenvalue

I drafted an HTMl page, added Action and POST parameters to it, added__RequestVerificationToken to it, and opened this drafted HTML page in the same browser in which the authenticated user has logged in. the drafted HTML page was able to execute a controller action, which implies application is vulnerable to CSS. I browsed 3-4 views in the application, noted down __RequestVerificationToken from the hidden form field. Now I added one of these token to the drafted HTML page, and browsed it, the controller action was executed. If I changed the__RequestVerificationToken to some value like '1234', then the request failed.

This implies that token was not getting validated at the server.

  <form action="/MyApp/LevelDesign/AddLevel"method="post"><inputname="__RequestVerificationToken"type="hidden"value="OmRqK4F_n9-LnQJ-a4CrL7DiuDOwNz96YuaLLrHDnqGqOXdQInWEYYS6MsEKeQ23Iqx3pYNgIS9veYoTcEAZGpTkKibx9xjyu2_qz9DMjhzSHxvLThHWadNfR1Hhjp8Os7xrAd6vEya4hWZI6CCXifpDm2GlbVSPHcFMRqroxjI1" />

I am always using Ajax POST to execute a controller action. I want that every time I make a request to the server, a new token is generated, and once submitted, the new token should get validated at the server, how can I protect my application from CSRf attacks.

Any help will be appreciated.

Thanks

Shuchi


Viewing all articles
Browse latest Browse all 3527

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>