Reputation: 12351
Antiforgery token in logon form
I read a couple of articles about using antiforgery token in forms to prevent CSRF attacks. I understand that an attacker can create http request get or post to these forms using the credentials of someone clicking on a link, an image or anything else.
Is there any advantages using an antiforgery token in a logon form? Considering that the attacker want to submit information to an html form that required to be authenticated, what would be useful for this attacker to target the logon page if it's the entry point to be authenticated?
Note that I'm using Asp.Net MVC 4.
Thank you.
Upvotes: 1
Views: 462
Answers (1)
Reputation: 32828
Putting an anti-forgery token on the login page can help mitigate login CSRF. In short, the attacker tricks the victim into logging in using the attacker's credentials, and any changes the victim makes to the account (such as typing in credit card information) can then be viewed by the attacker.
Upvotes: 2
Related Questions
- Anti forgery tokens are reusable even after one request
- Anti forgery token on login page
- ASP.NET MVC anti-forgery token (CSRF) not working
- Antiforgery tokens are reusable
- CSRF and ValidateAntiForgeryToken in ASP.Net mvc?
- MVC anti-forgery token
- AntiForgeryToken validation Asp.Net MVC 3
- AntiForgeryToken invalid after sign in
- ASP.NET MVC3 AntiForgeryToken
- Unexpected behaviour with AntiForgeryToken and ValidateAntiForgeryToken