About CSRF attacks and solutions in MVC [Validateantiforgerytoken]

what is a. csrf?

CSRF (Cross-site request forgery), Chinese name: cross-site requests forgery, also known as: one click Attack/session Riding, abbreviated as: CSRF/XSRF.

Two. What can csrf do?

You can understand that. CSRF attack: An attacker steals your identity and sends a malicious request on your behalf. The things that CSRF can do include: Send mail in your name, message, steal your account, even buy goods, virtual money transfer ... Issues include: personal privacy breaches and property security.

Three. CSRF Vulnerability status

Csrf This attack method in 2000 has been put forward by foreign security personnel, but at home, until 06 began to be concerned, 08, a number of large communities and interactive sites at home and abroad, respectively, CSRF loopholes, such as: NYTimes.com (New York Times), MetaFilter (a large blog site), YouTube and Baidu Hi ... Now, many sites on the Internet remain defenseless, so that the security industry calls CSRF "the Sleeping Giant".

Four. Principle of CSRF

As you can see, to complete a csrf attack, the victim must complete two steps in turn:

1. Log on to trusted Web site A and generate cookies locally.

2. If you do not log out a, visit the dangerous website B.

See here, you may say: "If I do not meet one of the above two conditions, I will not be attacked by CSRF". Yes, it does, but you cannot guarantee that the following will not happen:

1. You cannot guarantee that once you have logged into a website, you will no longer open a tab page and visit another site.

2. You cannot guarantee that your local cookie will expire immediately after you close your browser, and that your last session has ended. (In fact, closing a browser does not end a session, but most people will mistakenly think that closing the browser is tantamount to quitting the login/end session ...) ）

3. The so-called attack site may be a trusted, often-visited website with other vulnerabilities.

Transfer from: http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html

Specific steps:

1. @html.antiforgerytoken () is used in Html forms to prevent CSRF attacks.

2, the corresponding we want to add [Validateantiforgerytoken] Filter features in the controller. This attribute indicates whether the server request was detected for tampering. Note: This attribute can only be used for post requests and the GET request is invalid.

3, as for JS, our project refers to <script src= "@Url. Content (" ~/content/js/jquerytoken-1.4.2.js ")" Type= "Text/javascript" > </script>

To use when JS: $.ajaxantiforgery,
such as:
 $.ajaxantiforgery ({
             type: "Post",
             Data: {GroupName: $ ("#GroupName"). Val (), Groupphones: $ ("#GroupPhones"). Val ()},
    & nbsp;       dataType: "JSON",
             URL: "/event/mass/addgroup",
             Success:function (data) {
                 if (data) {

Alert ("Add success");
$.unblockui ();
}
else {
Alert ("Add failed");
}
}
})

Note: To prevent CSRF attack when the data is added and censored!

About CSRF attacks and solutions in MVC [Validateantiforgerytoken]