Cross Site Request Forgery in ASP.NET MVC

 Cross Site Request Forgery

                Cross Site Request Forgery is a dangerous and extremely major attack. Imagine a user come in to site and trying to update some information that requires authentication before they are allowed to perform update. Once the user logs in the Form Authentication your site will be sent the users browser an authentication cookie and every subsequent request of the site the users browser will send that cookie along and ASP.NET will see the user is already be authenticated. There is nothing wrong with the browser to sending the cookie along this is how the browser and cookie works that means the user doesn’t need to enter the username and password in every single request they make. They authenticate themselves once and the cookie will allow them to remain authenticated at least for the duration of the session

Then what is the problem?

                If the user visit some other site or strict in picking up some html from a malicious source  which had bad intention , then this malicious source can and provide a form just like a form that our application would given to the user and then if the user submit the form the call again will be authenticated because the authentication  cookie be gave to the users browser always travel along every request and will save the information in to the database like we always do one we have authenticated  request. Only the information in the request probably is in something user wants to submit. Someone strict the user in to transferring money or editing their account. The problem here is that not simply say we need the user to be authenticated when submit some information. We also have to be checking the information that the user is submitting coming from a form that our application presented to the user. We want to be preventing them when submitting the form from a malicious source.

Demo

                To demonstrate a CSRF I am applying the authorize attribute to my two Edit action methods of my application.

22

I can save, edit the records because I had already authenticated. Below is a sample record that I had saved in to the database successfully

23

In the developer point of view we are confident that I having authorized attribute in place for preventing malicious user from edit an Employee details.

Watch would happen that I logged in as a user. Come across an interesting link   in my system

24

 

May be this link will you get from an email or from another website or some other areas of internet. Now I am going to click the link and seen a page will up.

25

 

Now look at the record that we had saved earlier has changed. What happen?

26

Look at the source code of the link

27

Look at the action that form point to which has the same URL where the employee is posted. The form contains all of the input needed for to complete the request and also at the bottom some line of JavaScript for automatically submitting the form when the page loads.

How can we prevent this?

Use @Html.AntiForgeryToken() inside the form tag. This token will add a hidden input value that is unique to browsing session. Also sending a matching value in a cookie to the users browser so the user has accepts this cookie and that something malicious website would not be able to do.

                Also you should put an attribute ValidateAntiForgeryToken for matching the form value and cookie value

28

I again going to edit my record what the malicious user had done. Now I am going to click that link again and the ASP.NET MVC thrown an exception that AntiForgeryToken is not supplied or invalid.

 29

Hope you are enjoying my article…

 

Anti XSS Library in ASP.NET MVC

In this previous article you had read about XSS attack. Now i am to explain an Anti XSS library from Microsoft to prevent XSS attack.

Anti XSS Library

                Someone come to a form and enter some script like below

30

It’s also more malicious. Fortunately Microsoft provide a library for prevent this. You can download it via nugget or Library Package Manager Console (Visual Studio>>Tools>>Library Package Manager>>Package Manager Console and type Install-Package AntiXSS and press enter).

                What I am going to do I am putting a line of code in the below Edit action post method

31

And this code will remove all the malicious things

32

Hope you are enjoying my article…

XSS and How to prevent XSS attack in ASP.NET MVC

Introduction to XSS

           There are some specific threats we will face. One popular attack of this phase is Cross Site scripting attack or XSS. In Cross scripting attack the malicious user will try to have your website load a malicious script in to the user’s browser. It could be a malicious script, active-x control and even some malicious html. The malicious scripts can theft the cookie, Modify user settings, Download Malware, Modify content. One of the worst cross site script attack is Account Hijacking; the malicious users can access the user’s credentials and personal information.

15

Once this happen, your users become vulnerable to any number of problems. 

Demo

16

This is a simple application for saving employee information. Let I am putting some html tag like I am from <em>India</em> and then I try to save this , ASP.NET automatically reject this request to prevent Cross site scripting attack because the ASP.NET is going to look for anything that resembles the html and just reject the request. Actually there is no wrong with the emphasis tag but ASP.NET is not trying to make a distinction here anything that looks like html is going to be rejected.

17

Sometimes user need to upload some html in to the server then there are always circumvents this request validation. You have to extremely careful. One option is put ValidationInput attribute to the destiny here in Create action.

18

So you can successfully process this request

19

              Now we can have a problem that html encoded here this is because razor is going to encode everything by default which is good. There is another defense against the cross site scripting and we can fix that easily however the validate input false is completely disabling the check for cross site scripting malicious html and really we only need html inside of one specific property. So you can allow html to one property using AllowHtml attribute. Also some changes need to be done, remove ValidateInput attribute from the Create action and also make sure that we should pass EmployeeViewModel class as action parameter that means model binding will takes place will move the html in to that property. Also one change in the view to show the html without encoding by putting ViewData in Html.Raw helper.

20

And then again going to save one more and display the ViewData in the same view contain html tag.

21

Hope you are enjoying my article…In the next i had explained about Anti XSS Library

 

 

 

Authorization in ASP.NET MVC

   In the previous article i had explain about Authentication in ASP.NET MVC. Now I am going to explain a little bit about Authorization in ASP.NET MVC

Authorization

                The authorize attribute also allows you to set some parameters to enforce authorization rules. First we need to know the user’s identity and then we can say only the specific identities to allow accessing these actions.

11

Authorize attribute also allows you to specify the Roles. In Windows Authentication by default map to Windows groups on server or groups configured in the active directory. You can put roles like below

12

             In Forms Authentication ASP.NET has a role provider. By using these you can store, manage roles in a SqlServer database. These can configured in the application by default.The easiest way to do that is use the below button in the solution explorer

13

 

                  It launches ASP.NET configuration tool .This is the tool you are only going use in the local development machine. It’s going to look in the web.config location and use the same application services database as that Form Authentication provider of using that is already configured inside of there. You can add , manage roles from here. While doing these it automatically map to db we are configured in the web.config file.

14

Hope you are enjoying  my article…