Reputation: 1148
How does AntiForgeryToken work?
I am applying Security to my .net 3.5 mvc2 web application. My website doesn't contain any user authentication and consists of many ajax calls in .js files
In my .aspx file I wrote
<%= Html.AntiForgeryToken() %>
In my .js file function I wrote
$(document).ready(function() {
var token = $('input[name=__RequestVerificationToken]').val();
$.ajax({
url: "/Home/getCurrentLanguage/" + Math.random(),
cache: false,
type: "POST",
async: false,
data: {"__RequestVerificationToken":token},
success: function(data) {
if (data == "mr") {
alert("its Marathi");
} else {
alert("its English huh !!!");
}
return false;
},
error: function(data) {
alert("some Error" + data);
}
});
});
In my Controller I wrote
[AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken]
public JsonResult getCurrentLanguage(string id)
{
return new JsonResult
{
Data = "mr"
};
}
This works fine for me,
but I have 2 Questions
Q1. Is it the correct approach ?
If I see the page source, I found this code
<input name="__RequestVerificationToken" type="hidden" value="WFd+q5Mz0K4RHP7zrz+gsloXpr8ju8taxPJmrLO7kbPVYST9zzJZenNHBZqgamPE1KESEj5R0PbNA2c64o83Ao8w8z5JzwCo3zJKOKEQQHg8qSzClLdbkSIkAbfCF5R6BnT8gA==" />
but when I created the external html file and copy this value of __RequestVerificationToken and pass in ajax call, I am getting this error
A required anti-forgery token was not supplied or was invalid.
then
Q2. How does runtime know that this page is supplying the copied __RequestVerificationToken?
Upvotes: 4
Views: 7315
Answers (2)
Reputation: 2595
To quote from the documentation:
Anti-Forgery Tokens
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens.
- The client requests an HTML page that contains a form.
- The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
- When the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data. (A browser client automatically does this when the user submits the form.)
- If a request does not include both tokens, the server disallows the request.
The point here is that the token in the cookie is secured by having the cookie use Strict setting for the SameSite property. Only the intended application can include the cookie with the token and, therefore, submit the form.
Upvotes: 0
Reputation: 67019
This "AntiForgeryToken" is in place to prevent Cross-Site Request Forgery attacks. This system can be undermined by an attacker if your application suffers from a Cross-Site Scripting vulnerability.
This token prevents CSRF attacks because due to the same-origin policy the attacker can send requests but he cannot read the token off of the page to make the request succeed (unless he has an xss vulnerability).
As for Q2, this value must be unique per user and therefore updated each time the page loads. If its just a static value, then its useless at stopping CSRF because the attacker will know this same static value.
Upvotes: 2
Related Questions
- How does AntiForgeryToken work behind the scenes?
- How to make the AntiforgeryToken As Secure in ASP.net MVC
- What is the Html.AntiForgeryToken helper function for?
- Generating AntiForgeryToken in WebForms
- how does ASP.NET validate anti-forgery token
- How does AntiForgeryToken, specifically, 'match up' with a cookie?
- How does Html.AntiForgeryToken protects against an POST with preceding GET
- How to pass through the AntiForgeryToken in MVC
- how AntiForgeryToken() works in MVC and how to retrieve value at server action method from AntiForgeryToken?
- What are the implementation details and rationale of ASP.NET MVC3's AntiForgeryToken?