About CSRF attacks and solutions in MVC [Validateantiforgerytoken]

What is a. csrf?

CSRF (Cross-site request forgery), Chinese name: cross-site requests forgery, also known as: one click Attack/session Riding, abbreviated as: CSRF/XSRF.

Two. What can csrf do?

You can understand that. CSRF attack: An attacker steals your identity and sends a malicious request on your behalf. The things that CSRF can do include: Send mail in your name, message, steal your account, even buy goods, virtual money transfer ... Issues include: personal privacy breaches and property security.

Three. CSRF Vulnerability status

Csrf This attack method in 2000 has been put forward by foreign security personnel, but at home, until 06 began to be concerned, 08, a number of large communities and interactive sites at home and abroad, respectively, CSRF loopholes, such as: NYTimes.com (New York Times), MetaFilter (a large blog site), YouTube and Baidu Hi ... Now, many sites on the Internet remain defenseless, so that the security industry calls CSRF "the Sleeping Giant".

Four. Principle of CSRF

As you can see, to complete a csrf attack, the victim must complete two steps in turn:

1. Log on to trusted Web site A and generate cookies locally.

2. If you do not log out a, visit the dangerous website B.

See here, you may say: "If I do not meet one of the above two conditions, I will not be attacked by CSRF". Yes, it does, but you cannot guarantee that the following will not happen:

1. You cannot guarantee that once you have logged into a website, you will no longer open a tab page and visit another site.

2. You cannot guarantee that your local cookie will expire immediately after you close your browser, and that your last session has ended. (In fact, closing a browser does not end a session, but most people will mistakenly think that closing the browser is tantamount to quitting the login/end session ...) ）

3. The so-called attack site may be a trusted, often-visited website with other vulnerabilities.

Transfer from: http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html

Specific steps:

1. @html.antiforgerytoken () is used in Html forms to prevent CSRF attacks.

2, the corresponding we want to add [Validateantiforgerytoken] Filter features in the controller. This attribute indicates whether the server request was detected for tampering. Note: This attribute can only be used for post requests and the GET request is invalid.

3, as for JS, our project refers to <script src= "@Url. Content (" ~/content/js/jquerytoken-1.4.2.js ")" Type= "Text/javascript" > </script>

To use when JS: $.ajaxantiforgery,
such as:
 $.ajaxantiforgery ({
             type: "Post",
             Data: {GroupName: $ ("#GroupName"). Val (), Groupphones: $ ("#GroupPhones"). Val ()},
    & nbsp;       dataType: "JSON",
             URL: "/event/mass/addgroup",
             Success:function (data) {
                 if (data) {

Alert ("Add success");
$.unblockui ();
}
else {
Alert ("Add failed");
}
}
})

Note: To prevent CSRF attack when the data is added and censored!

Purpose: Prevent CSRF (cross-site request forgery).

Usage: in view->form form: <%:html.antiforgerytoken ()%>

On the controller->action action: [Validateantiforgerytoken]

Principle:

1, <%:html.antiforgerytoken ()%> This method generates a hidden field:<input name="__requestverificationtoken" type= "hidden" value="7ftm...sdlr1"/> and a cookie with "__requestverificationtoken" key will be given to the control layer.

2, [Validateantiforgerytoken], according to the token passed over, if the same, then allow access, if different, access denied.

Key: Validateantiforgerytoken only for post requests.

In other words, [validateantiforgerytoken] must be combined with [HttpPost] on an action to work properly.

The principle of this I do not want to understand, wait for the next time to take a good look at MVC source code.

But I said it was based on, I wrote some cases to do the test.

Case:

1. The [Validateantiforgerytoken] feature is added to the Get and post modes of an action, respectively.

Action:

2, with a test page to the post to request action, the result is successful. Also, the value of the hidden field and the cookie can be obtained.

To test the Post page:

3, with a test page to get the way to request action, error.

To test the Get page:

Recommended Way of Use:

1, Post-only: Probably the idea is, reject all get, only allow own Post. (Safe, but not flexible)

2, get only do display, to all get open; Post changes, closed to the outside, open to themselves. (Flexible, but not safe enough)

A person abroad said that in fact the filter itself is not safe, he said, all the request can be forged.

About CSRF attacks and solutions in MVC [Validateantiforgerytoken]