Recently, in my project, I had to make sure that my asp.net mvc website is not prone to Cross Site Request Forgery Attacks. I read a few blogs and found that with MVC's built in AntiForgeryToken, its very easy to do so. However, it required manually changing all actions and views. In this blog, I will try to explain what a CSRF attack is and how it can be avoided using action filters.
A CSRF attack happens when a valid user of a legit website visits a malicious website. For authentication, the user's browser stores a cookie for future communications with the legit website. When the user navigates to malicious website, the malicious website uses the cookie to communicate with the legit website.
A simple solution to fix this problem is to use MVC's antiforgerytoken mechanism. For this, we add the token in all POSTs like shown below -
And in our action method, we can use the ValidateAntiForgeryToken attribute as shown below -
What this mechanism will do is that it will add a hidden form field in the form and validate when that form is posted back as shown below -
This approach is helpful if we have few actions. If we have a lot of actions, then we can use MVC's action filters to automate this process a bit. I am taking this code from Scott's blog located here. This code is for MVC2 but its applicable for MVC3 as well.
What this code does is that it creates 2 attributes. One to be applied on all post methods by default and the other one to give us an option to opt-out just in case we don't want to validate any post method. It also demonstrates how powerful action filters in MVC are. The next step for us then is to create a controller base class and apply the attribute UseAntiForgeryTokenOnPostByDefault on top of this class. This will ensure that all actions will pass through this filter. The ShouldValidateAntiForgeryTokenManually() method will then make sure that only POSTs and only those actions which dont have BypassAntiForgeryToken and actions which dont have the normal ValidateAntiForgeryToken gets validated manually.
A CSRF attack happens when a valid user of a legit website visits a malicious website. For authentication, the user's browser stores a cookie for future communications with the legit website. When the user navigates to malicious website, the malicious website uses the cookie to communicate with the legit website.
A simple solution to fix this problem is to use MVC's antiforgerytoken mechanism. For this, we add the token in all POSTs like shown below -
And in our action method, we can use the ValidateAntiForgeryToken attribute as shown below -
What this mechanism will do is that it will add a hidden form field in the form and validate when that form is posted back as shown below -
This approach is helpful if we have few actions. If we have a lot of actions, then we can use MVC's action filters to automate this process a bit. I am taking this code from Scott's blog located here. This code is for MVC2 but its applicable for MVC3 as well.
What this code does is that it creates 2 attributes. One to be applied on all post methods by default and the other one to give us an option to opt-out just in case we don't want to validate any post method. It also demonstrates how powerful action filters in MVC are. The next step for us then is to create a controller base class and apply the attribute UseAntiForgeryTokenOnPostByDefault on top of this class. This will ensure that all actions will pass through this filter. The ShouldValidateAntiForgeryTokenManually() method will then make sure that only POSTs and only those actions which dont have BypassAntiForgeryToken and actions which dont have the normal ValidateAntiForgeryToken gets validated manually.