- Posted On 20 September 2014
- By
- In Programming
This post covers information about what is cross site request forgery (CSRF) and how you can prevent it in your MVC web application using simple mechanism provided called “Anti-Forgery Token”.
"What is Cross Site Request Forgery (CSRF)”?
Cross site request forgery is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. It’s also known as “One click attack”.
In simple words, its type of hack in which user’s identity is gets used to send bad request to the site for which he is authenticated user.
E.g. suppose user has logged in abcbank.com and as like most of the site abcbank.com site too put some cookie in user’s browser containing authentication information. In such case if someone send some bad request to the abcbank.com it will get executed as user is already authenticated and already allowed to send information which is very dangerous on point of security of the site. Though, this example is very general and just for understanding purpose. Bank sites in nowadays are well maintained in terms of security of the user and usually has multiple ways to authenticate the user request.
For more information you can visit Wikipedia here or can Google more about CSRF.
Now let’s check how you can prevent CSRF while developing web application in MVC.
If you are expeirinced MVC developer then you might aleardy know about @Html.AntiForgeryToken() method available in HTML extensions provided in MVC but you are newbie or just shifted to MVC from traditional event based ASP.NET (.aspx – My first love in technology) then you might using it but not much aware of it.
So let’s see what it is.
You need to use @Html.AntiForgeryToken() method in your view under BeginForm() like below.
@using (Html.BeginForm()) { @Html.AntiForgeryToken() ……… ……… }
When you use method like above AntiForgeryToken gets created in hidden form field by the server when form gets generated.
And one more step is to add ValidateAntiForgeryTokenAttribute attribute to the action method that you want to protect like below.
[HttpPost] [Authorize(Roles = "Admin")] [ValidateAntiForgeryToken()] public ActionResult SaveInformation(InformationModel infomodel) { if (ModelState.IsValid) { ...... } return View(infomodel); }
That’s it. Now whenever you submit the form anti-forgery token gets validated first and if not matches error gets shown as “The required anti-forgery form field “_RequestVerificationToken” is not present”.
So even if someone submits fake form to the server it gets rejected as it doesn’t has the correct anti-forgery token which ensures that form is getting posted to the same server by which it was created.
Hope this simple post has benefited you by adding some useful information in your knowledge bank. If you are having something positive to add this post then please do share it in comment section.
Sharing is caring!! Do it now by clicking any of the sharing button provided.
- Tags :
- MVC
Top 10 Visual Studio things which can boost developers coding speed
Visual Studio 2012 provides some coding features by which you can code faster if use them properly. This post will cover top 10 things among them to boost your development speed.
Visual Studio 2008 Shell and TFS integration
Visual Studio 2008 Shell and TFS integration is the problem for all newbies of BIDS and TFS. Here is the solution.
Assembla - Free and private repository to manage your source code online with SVN subversion hosting
With Assembla you can share source code with others online. Free & Private source code repository with SVN Subversion, Git & Perforce Hosting.
How to call click or any event only once in jQuery
Know how to execute an click event or any event only once for any element in jQuery. Perform action only once and even not required to unbind event.
How to select all checkboxes as per range of numbers in jQuery MVC
JQuery code to select all checkboxes as per range provided with select all and deselect all functionality which can be embedded in ASP.NET MVC too. With validations such as invalid range.