mvc csrf protection
DESCRIPTION
MVC CSRF ProtectionTRANSCRIPT
MVC CSRF(Part of a series on ASP.NET MVC Security)
Barry DorransMVP – Developer Security
Introduction
• CSRF = Cross Site Request Forgery
Cross-site request forgery CSRF a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Contrary to cross-site scripting (XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits the trust that a site has for a particular user.
Wikipedia
The Problem
• When a site authenticates a user they drop an authentication cookie.
• This cookie belongs to the site that drops it and is sent with every request to that site.
• Evil hacker writes a form that submits to an authenticated site and does something.
• User’s authentication cookie goes with the request. BANG
In the real world
Researchers from Princeton University today revealed their discovery of four major Websites susceptible to the silent-but-deadly cross-site request forgery (CSRF) attack - including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account.
darkreading.com
The Solution – A CSRF Canary
• A CSRF Canary drops a cookie onto the user’s browser and embeds a matching hidden field in each protected form.
• The value is different for every user.• An attacker cannot predict the canary value
and so cannot create a suitable form to submit
Adding the canary
• In your view add the following inside the form<% = Html.AntiForgeryToken() %>
• In your controller add the following attribute to the action[ValidateAntiForgeryToken]
• Feel smug (if you remembered to do both)
CAVEAT: GET requests
• The MVC solution only works with POST requests.
• HTTP spec says that GET requests must be idempotent and should not change state.
• Don’t do daft things based on query strings.