Labels

slider

Recent

Navigation

CSRF: Prevent Cross-Site Request Forgery using AntiForgeryToken() in MVC

cross site forgery prevention, cross-site request forgery (csrf) prevention, cross-site request forgery attack and defense, Prevent Cross-Site Request Forgery using AntiForgeryToken in MVC, The required anti-forgery form field "__RequestVerificationToken" is not present

Introduction

At whatever point we chip away at our application we constrained to our undertaking extension and its business rationales to accomplish our task time conveyance. We couldn't concentrate such a great amount to our security reasons and later after sending of our venture is hacked through cross-site demand imitation. .Net Framework has introduced a new security feature to protect our MVC projects data using anti forgery token whenever we submit data through our MVC application data. Cross-site scripting (XSS) is most dangerous issue on web (internet application). I have already explained a MVC very known error Unexpected if keyword after @ character.
Prevent Cross-Site Request Forgery using AntiForgeryToken() in MVC


How it works to prevent CSRF request steps provided?

Here is defining AntiForgeryToken() in MVC View and controller to protect our website from CSRF attack. Here is shown post request with anti forgery token because anti forgery token works only with Post method not GET post. The core MVC packages already included HTML helpers, which provides facility to avoid potential CSRF attack.

Namespace

(System.Web.Mvc)

@using (Html.BeginForm("Checkforanti", "Test", FormMethod.Post))
    {
        @Html.AntiForgeryToken()
    <input type="submit" value="Create" />
    }

Validate in Controller of AntiForgeryToken()

We need to write necessary code in MVC controller to protect our sensitive data from CSRF request.
MVC controller Code samples has been illustrated below. We need to add keyword ValidateAntiForgeryToken() in our Post method to avoid potential harmful CSRF request.
[HttpPost]
[ValidateAntiForgeryToken()]
public ActionResult Checkforanti(string _str)
{
   return View();
}
How render AntiForgeryToken() in Browser ?
It will display in input hidden type as showing below how it looks actually:

<input name="__RequestVerificationToken" type="hidden" value="XBkRoc3uM9fXmGLO-vfrWSz8axwgWgkNJN-N4yGtMe6n0WCTc0ABKG71InJXPtkeMfTJGwUI307BFRZ96VzhxmG1gOCaIe4TI7qmXJ1H8_k1" />
If we don't write correct code to handle AntiForgeryToken() token then it will throw error.

Error Description

The required anti-forgery form field "__RequestVerificationToken" is not present.
If we comment AntiForgeryToken in MVC view and authorizing AntiForgeryToken in MVC Controller, then it will throw very known error The required anti-forgery form field "__RequestVerificationToken" is not present.

Drawbacks of the Anti-Forgery helpers

  1. All of Sovereign users must accept cookies to protect your website and make your website more secure until you can't accept cookie your website is not under protection.
  2. AntiForgeryToken() works only for POST method not serving for GET method, so it is not protecting our data while retrieving from our database.  
  3. It is very easy to invade into your website through XSS holes. It is very easy to read your Anti Forgery Token while your domain have XSS holes. It is very required your website should be XSS holes free.
  4. You need to protect your cookies in browser to avoid attacks on sensitive information.

Conclusion

In short, MVC anti CSRF helpers help us to make our website more secures over internet. It is our right to protect our sensitive data from attackers.

Video: Prevent Cross-Site Request Forgery using AntiForgeryToken() in MVC

Suggested Reading

Share

Anjan kant

Outstanding journey in Microsoft Technologies (ASP.Net, C#, SQL Programming, WPF, Silverlight, WCF etc.), client side technologies AngularJS, KnockoutJS, Javascript, Ajax Calls, Json and Hybrid apps etc. I love to devote free time in writing, blogging, social networking and adventurous life

Post A Comment:

0 comments: