HOW TO AVOID CROSS SITE REQUEST FORGERY CSRF IN ASP.NET MVC

Simond Gear

Total Post:26

Points:182
Posted by  Simond Gear
 838  View(s)
Ratings:
Rate this:
Hi Everyone,

I want to know how to avoid cross site request forgery CSRF(Cross Site Request Forgery) in my MVC  application.

Thank you.
  1. Anupam Mishra

    Post:135

    Points:949
    Re: How to avoid cross site request forgery CSRF in ASP.NET MVC

    Hi Simond,


    To avoid Cross Site Request Forgery (CSRF) in ASP.NET MVC, we need to do two things for each page.

    1. Add  [ValidateAntiForgeryToken] attribute in the Controller Action method which is executing when the form data is being submitted.

    2. Add  @Html.AntiForgeryToken() element in the HTML form.


  1. Santosh Kumar Singh

    Post:8

    Points:56
    Re: How to avoid cross site request forgery CSRF in ASP.NET MVC

    Prevent MVC Application from Cross Site Request Forgery Attacks

     

    All web application platforms are potentially vulnerable to CSRF (Cross-Site Request Forgery) attacks. The best way to prevent this attack in MVC application is to use Anti-Forgery token.

    Consider a banking website "www.bank.com" contains an action method DeleteUser in User Controller. When a web request comes from a client, the controller fetches the user id from session and deletes the user from database. Consider one hacker created a site "www.songs.com" and it contain one button 'Latest songs'. The button click event calls the "www.bank.com/User/DeleteAccount". A user is logged in "www.bank.com" and he is visiting "www.songs.com" using the same browser with another tab. When he clicking the 'Latest songs' button, his account will delete from the bank database. To avoid these type of unwanted requests from other sites, MVC application developers use Anti-Forgery Token.

    Anti-Forgery Token is mainly used in form POST actions to verify the source of the POST data. In this method, for each page request, the web server sends a cookie to the client browser. While posting the data or next request time, the web server uses this cookie for client authentication. If the request is coming from an unauthorized site, the cookie will be null or invalid. By adding [ValidateAntiForgeryToken] above the controller and @Html.AntiForgeryToken() in the view page, we can prevent cross site requests forgery.

    Using the Code

    The below code illustrates how Anti-Forgery Token Cross Site Request Forgery:

    Without Anti-Forgery Token

    1. Controller (Controller for deleting the user account)


    public class UserController : Controller

       {

           public ActionResult DeleteUser()

           {

               var userId = (int)Session["userId"];

               DeleteUserFromDb(userId);  //Function for deleting the user from Database

              return View();

           }

       }

    2. View (Button for deleting the user account in Bank page)


    @using (Html.BeginForm("DeleteUser", "User"))

    {   

        <input type="submit" value="Delete My Account" />

    }

    With Anti-Forgery Token

    1. Controller


    [ValidateAntiForgeryToken]

    public class UserController : Controller

        {

            public ActionResult DeleteUser()

            {

                var userId = (int)Session["userId"];            

                DeleteUserFromDb(userId);//Function for deleting the user from Database

                return View();

             }

        }

    2. View


    @using (Html.BeginForm("DeleteUser", "User"))

    { 

        @Html.AntiForgeryToken()

        <input type="submit" value="Delete My Account" />

    }

    Cross Site Request Error


    Server Error in '/' Application.

     

    The required anti-forgery cookie "__RequestVerificationToken" is not present.

     

    Description: An unhandled exception occurred during the execution of the current web request.

    Please review the stack trace for more information about the error and where it originated in the code.

     

    Exception Details: System.Web.Mvc.HttpAntiForgeryException:

    The required anti-forgery cookie "__RequestVerificationToken" is not present.

     

Answer

NEWSLETTER

Enter your email address here always to be updated. We promise not to spam!