MVC CSRF(Part of a series on ASP.NET MVC Security)

Barry DorransMVP – Developer Security

Introduction

• CSRF = Cross Site Request Forgery

Cross-site request forgery CSRF a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Contrary to cross-site scripting (XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits the trust that a site has for a particular user.

Wikipedia

The Problem

• When a site authenticates a user they drop an authentication cookie.

• This cookie belongs to the site that drops it and is sent with every request to that site.

• Evil hacker writes a form that submits to an authenticated site and does something.

• User’s authentication cookie goes with the request. BANG

In the real world

Researchers from Princeton University today revealed their discovery of four major Websites susceptible to the silent-but-deadly cross-site request forgery (CSRF) attack - including one on INGDirect.com’s site that would let an attacker transfer money out of a victim’s bank account.

darkreading.com

The Solution – A CSRF Canary

• A CSRF Canary drops a cookie onto the user’s browser and embeds a matching hidden field in each protected form.

• The value is different for every user.• An attacker cannot predict the canary value

and so cannot create a suitable form to submit

Adding the canary

• In your view add the following inside the form<% = Html.AntiForgeryToken() %>

• In your controller add the following attribute to the action[ValidateAntiForgeryToken]

• Feel smug (if you remembered to do both)

CAVEAT: GET requests

• The MVC solution only works with POST requests.

• HTTP spec says that GET requests must be idempotent and should not change state.

• Don’t do daft things based on query strings.