Prevent Cross-Site Request Forgery (CSRF) attack in ASP.NET MVC

How to prevent Cross-Site Request Forgery (CSRF) attack in ASP.NET MVC?

Cross-Site Request Forgery (CSRF) attack is an attack where a malicious website sends a request to a web application/site that a user is already authenticated on.
In another words cross site request forgery (CSRF) attack is a type of attack where a request is submitted to the form that is not originally the form where the request should be submitted from. To prevent this kinf of attack, we can use @Html.AntiForgeryToken() helper method in the ASP.NET MVC form and ValidateAntiForgeryToken in the controller action attribute.
VIEW CODE
@using (Html.BeginForm()) {
    @Html.AntiForgeryToken()
    @Html.ValidationSummary(true)

      <div class="editor-label">
            @Html.LabelFor(model => model.FirstName)
        </div>
        <div class="editor-field">
            @Html.EditorFor(model => model.FirstName)
            @Html.ValidationMessageFor(model => model.FirstName)
        </div>
}
Notice the @Html.AntiForgeryToken line in the above form. Because of that line, a hidden element is generated in the form with encrypted value that is validated in the server side to ensure that CSRF attack is not happening.
<form action="/PersonalDetail/Create" method="post"><input name="__RequestVerificationToken"
type="hidden"
value="lgp_fxdlYmHf7q4Tpn75nq1Pdd3m4G3Vnb1uFEJ0FBhYHdXyH4VFg8dxvO2ScYt_49ZQg7prob9RfNrj7IWHkOgcQjBEM2oX_W1VnHfAOSA1" /><div class="validation-summary-errors"><ul><li
style="display:none"> ………….. </form>
Just keeping the @Html.AntiForgeryToken() in the form is not enough. We also need to add ValidateAntiForgeryToken attribute in the action method of the controller where the form is being submitted.
CONTROLLER ACTION CODE
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Create(PersonalDetail personaldetail)
{

}
Now, we can be 100% sure that the request coming to this action method is 100% originating from our own form and there is no CSRF.

No comments:

Post a Comment

How to register multiple implementations of the same interface in Asp.Net Core?

 Problem: I have services that are derived from the same interface. public interface IService { } public class ServiceA : IService { ...