Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to protect against CSRF by default in ASP.NET MVC 4?

Tags:

Is there a way to ensure ASP.NET MVC 4 forms are protected against CSRF by default?

For instance, is there a way to have AntiForgeryToken automatically applied to all forms in both views and controller actions?

Background on this question: Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper and Anatomy of a Cross-site Request Forgery Attack.

like image 497
Fernando Correia Avatar asked Apr 01 '12 14:04

Fernando Correia

People also ask

How can we prevent CSRF attacks in asp net core?

You can protect users of your ASP.NET Core applications from CSRF attacks by using anti-forgery tokens. When you include anti-forgery tokens in your application, two different values are sent to the server with each POST. One of the values is sent as a browser cookie, and one is submitted as form data.

What is a way you can prevent CSRF attacks?

The most effective method of protecting against CSRF is by using anti-CSRF tokens. The developer should add such tokens to all forms that allow users to perform any state-changing operations. When an operation is submitted, the web application should then check for the presence of the correct token.

Is CSRF enabled by default?

CSRF protection is enabled by default. However, it is simple to disable CSRF protection if it makes sense for your application.

What is the best Defence against CSRF?

Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form.

2 Answers

To add to osoviejo's excellent answer, the instructions below, from my recent blog post on CSRF, put his work together with the information in Phil's blog in one comprehensive answer.

ASP.NET/MVC provides a mechanism for this: you can add to to a collection of filters on the global FilterProviders object. This allows you to target some controllers and not others, adding the needed security feature.

First, we need to implement an IFilterProvider. Below, you can find Phil Haack's Conditional Filter Provider class. Begin by adding this class to your project.

public class ConditionalFilterProvider : IFilterProvider {     private readonly       IEnumerable<Func<ControllerContext, ActionDescriptor, object>> _conditions;      public ConditionalFilterProvider(       IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions)     {         _conditions = conditions;     }      public IEnumerable<Filter> GetFilters(         ControllerContext controllerContext,         ActionDescriptor actionDescriptor)     {         return from condition in _conditions                select condition(controllerContext, actionDescriptor) into filter                where filter != null                select new Filter(filter, FilterScope.Global, null);     } }

Then, add code to Application_Start that adds a new ConditionalFilterProvider to the global FilterProviders collection that ensures that all POST controller methods will require the AntiForgeryToken.

IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions =      new Func<ControllerContext, ActionDescriptor, object>[] {     // Ensure all POST actions are automatically      // decorated with the ValidateAntiForgeryTokenAttribute.      ( c, a ) => string.Equals( c.HttpContext.Request.HttpMethod, "POST",     StringComparison.OrdinalIgnoreCase ) ?     new ValidateAntiForgeryTokenAttribute() : null };  var provider = new ConditionalFilterProvider(conditions);  // This line adds the filter we created above FilterProviders.Providers.Add(provider);

If you implement the two pieces of code above, your MVC application should require the AntiForgeryToken for every POST to the site. You can try it out on Phil Haack's CSRF example web site - once protected, the CSRF attack will throw System.Web.Mvc.HttpAntiForgeryException without having to add the [ValidateAntiForgeryToken] annotation. This rules out a whole host of "forgetful programmer" related vulnerabilities.

like image 129
Kyle Avatar answered Sep 27 '22 20:09

Kyle

You can use a filter provider with a condition that the filter ValidateAntiForgeryTokenAttribute() be applied whenever HttpContext.Request.HttpMethod == "POST".

I essentially followed the generic approach described by Phil Haack, and added the appropriate condition:

// Ensure all POST actions are automatically decorated with the ValidateAntiForgeryTokenAttribute. ( c, a ) => string.Equals( c.HttpContext.Request.HttpMethod, "POST", StringComparison.OrdinalIgnoreCase ) ?  new ValidateAntiForgeryTokenAttribute() : null
like image 30
osoviejo Avatar answered Sep 27 '22 21:09

osoviejo
Sign in to Comment

Related questions

How do I add Markdown formatting in a code / pre block?
How does Python's unittest module detect test cases?
Writing a large project using J programming language [closed]
Slot is being called multiple times every time a signal is emitted
how to read a csv file from a url?
Zip folder recursively, save for a given sub folder (Linux)
What are strongly connected components used for?
apache Tomcat installation directory in ubuntu / configure Tomcat in eclipse + ubuntu
JQuery use .on() with not selector
C# How to format a double to one decimal place without rounding
Which method is called? (Integer... a) vs. (int a, int b)
Prevent scrolling in a MKMapView, also when zooming

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!