Cross Site Request Forgery in ASP.NET MVC

Cross Site Request Forgery

Cross Site Request Forgery is a dangerous and extremely major attack. Imagine a user come in to site and trying to update some information that requires authentication before they are allowed to perform update. Once the user logs in the Form Authentication your site will be sent the users browser an authentication cookie and every subsequent request of the site the users browser will send that cookie along and ASP.NET will see the user is already be authenticated. There is nothing wrong with the browser to sending the cookie along this is how the browser and cookie works that means the user doesn’t need to enter the username and password in every single request they make. They authenticate themselves once and the cookie will allow them to remain authenticated at least for the duration of the session

Then what is the problem?

If the user visit some other site or strict in picking up some html from a malicious source which had bad intention , then this malicious source can and provide a form just like a form that our application would given to the user and then if the user submit the form the call again will be authenticated because the authentication cookie be gave to the users browser always travel along every request and will save the information in to the database like we always do one we have authenticated request. Only the information in the request probably is in something user wants to submit. Someone strict the user in to transferring money or editing their account. The problem here is that not simply say we need the user to be authenticated when submit some information. We also have to be checking the information that the user is submitting coming from a form that our application presented to the user. We want to be preventing them when submitting the form from a malicious source.

Demo

To demonstrate a CSRF I am applying the authorize attribute to my two Edit action methods of my application.

I can save, edit the records because I had already authenticated. Below is a sample record that I had saved in to the database successfully

In the developer point of view we are confident that I having authorized attribute in place for preventing malicious user from edit an Employee details.

Watch would happen that I logged in as a user. Come across an interesting link in my system

May be this link will you get from an email or from another website or some other areas of internet. Now I am going to click the link and seen a page will up.

Now look at the record that we had saved earlier has changed. What happen?

Look at the source code of the link

Look at the action that form point to which has the same URL where the employee is posted. The form contains all of the input needed for to complete the request and also at the bottom some line of JavaScript for automatically submitting the form when the page loads.

How can we prevent this?

Use @Html.AntiForgeryToken() inside the form tag. This token will add a hidden input value that is unique to browsing session. Also sending a matching value in a cookie to the users browser so the user has accepts this cookie and that something malicious website would not be able to do.

Also you should put an attribute ValidateAntiForgeryToken for matching the form value and cookie value

I again going to edit my record what the malicious user had done. Now I am going to click that link again and the ASP.NET MVC thrown an exception that AntiForgeryToken is not supplied or invalid.