Reputation: 1686
Manually set cookie value to disable Anti-forgery Token?
I still don't understand how the Anti-forgery Token works in MVC. From the MSDN.
Anti-Forgery Tokens
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens.
- The client requests an HTML page that contains a form.
- The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
- When the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data. (A browser client automatically does this when the user submits the form.)
- If a request does not include both tokens, the server disallows the request.
Here is an example of an HTML form with a hidden form token:
<form action="/Home/Test" method="post">
<input name="__RequestVerificationToken" type="hidden"
value="6fGBtLZmVBZ59oUad1Fr33BuPxANKY9q3Srr5y[...]" />
<input type="submit" value="Submit" />
My question is that since we can find the hidden token value easily by looking the source code (F12 in any browser). Then can we manually set the cookie by going to the Developer Tools (Ctrl-Shift-J or Tools -> Developer Tools) -> Console and the you can enter javascript command:
document.cookie="keyofcookie=valueofcookie"?
Then we cam manually set the tokens same therefore to disable Anti Forgery technology?
Upvotes: 0
Views: 4079
Answers (2)
Reputation: 4475
That cookie is HttpOnly and it cannot be set from javascript since all latest browsers implement HttpOnly. Also, both cookie token and form token contain different base 64 encrypted information. Decryption will be server side stuff.
Moreso, These tokens are not compared for equality. They complement each other for data. Also, you did not read the complete article. MVC has its own methods to validate token as well..
Check if the link below helps.
https://www.codeproject.com/Articles/793384/ASP-NET-Anti-Forgery-Tokens-internals
Upvotes: 1
Reputation: 719
As the documentation says:
Anti-forgery tokens work because the malicious page cannot read the user's tokens, due to same-origin policies. (Same-origin policies prevent documents hosted on two different sites from accessing each other's content. So in the earlier example, the malicious page can send requests to example.com, but it cannot read the response.)
That means, copying the cookie value and using it to any different location will not work because of the said policy.
Upvotes: 0
Related Questions
- The anti-forgery cookie token and form field token do not match in MVC 4
- MVC Anti forgery token validating even though no [ValidateAntiForgeryToken]
- The required anti-forgery cookie "__RequestVerificationToken" is not present. MVC 5
- Set aspxauth cookie unchangeable
- Automatically add anti-forgery tokens in ASP.NET MVC with Razor
- ASPNET MVC 5: Anti-forgery cookie not present
- How to remove or change ASP.NET MVC 5 default cookie
- The required anti-forgery cookie is not present
- MVC anti-forgery token
- How to handle Antiforgerytoken with browsers that have disabled cookies and ASP.NET