Download - MVC CSRF Protection
![Page 1: MVC CSRF Protection](https://reader036.vdocuments.us/reader036/viewer/2022082700/549a6956b47959f55a8b46f2/html5/thumbnails/1.jpg)
MVC CSRF(Part of a series on ASP.NET MVC Security)
Barry DorransMVP – Developer Security
![Page 2: MVC CSRF Protection](https://reader036.vdocuments.us/reader036/viewer/2022082700/549a6956b47959f55a8b46f2/html5/thumbnails/2.jpg)
Introduction
• CSRF = Cross Site Request Forgery
Cross-site request forgery CSRF a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Contrary to cross-site scripting (XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits the trust that a site has for a particular user.
Wikipedia
![Page 3: MVC CSRF Protection](https://reader036.vdocuments.us/reader036/viewer/2022082700/549a6956b47959f55a8b46f2/html5/thumbnails/3.jpg)
The Problem
• When a site authenticates a user they drop an authentication cookie.
• This cookie belongs to the site that drops it and is sent with every request to that site.
• Evil hacker writes a form that submits to an authenticated site and does something.
• User’s authentication cookie goes with the request. BANG
![Page 4: MVC CSRF Protection](https://reader036.vdocuments.us/reader036/viewer/2022082700/549a6956b47959f55a8b46f2/html5/thumbnails/4.jpg)
In the real world
Researchers from Princeton University today revealed their discovery of four major Websites susceptible to the silent-but-deadly cross-site request forgery (CSRF) attack - including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account.
darkreading.com
![Page 5: MVC CSRF Protection](https://reader036.vdocuments.us/reader036/viewer/2022082700/549a6956b47959f55a8b46f2/html5/thumbnails/5.jpg)
The Solution – A CSRF Canary
• A CSRF Canary drops a cookie onto the user’s browser and embeds a matching hidden field in each protected form.
• The value is different for every user.• An attacker cannot predict the canary value
and so cannot create a suitable form to submit
![Page 6: MVC CSRF Protection](https://reader036.vdocuments.us/reader036/viewer/2022082700/549a6956b47959f55a8b46f2/html5/thumbnails/6.jpg)
Adding the canary
• In your view add the following inside the form<% = Html.AntiForgeryToken() %>
• In your controller add the following attribute to the action[ValidateAntiForgeryToken]
• Feel smug (if you remembered to do both)
![Page 7: MVC CSRF Protection](https://reader036.vdocuments.us/reader036/viewer/2022082700/549a6956b47959f55a8b46f2/html5/thumbnails/7.jpg)
CAVEAT: GET requests
• The MVC solution only works with POST requests.
• HTTP spec says that GET requests must be idempotent and should not change state.
• Don’t do daft things based on query strings.