Asp.Net MVC Vs Cross-Site Request Forgery attack (CSRF)

- What is the cross-site request forgery ?

- How it works ?

- How can we prevent this attack ?

- How does AntiForgeryToken work ?

- Its parameters

- Its limit


What is the Cross-Site Request Forgery ? It is a kind of malicious exploit where an authenticated user send a command to a system without his/her authorisation.


Example : Leonard is logged into his bank account and he is browsing a forum. Suppose that Peter posted in the forum an image tag that references to an action in Leonard bank web site. When the Leonard browser try to load the image it will submit the action and then the action will be executed. If the action is about moving money from Leonard account to Peter account this operation will be executed.


What is the common scenario where these kind of attack works ? The target site must have an authorization process and provide services related with this authorisation (username and password); Moreover the action was performed without requiring the user to authorise the process.


How can I prevent this kind of attack ? There are some technique to prevent these attacks :

- Limit the lifetime of the session cookies

- Requiring a secret specific user token in all form submit. (Synchronised Token Pattern)

- Requiring to specify the authentications data in the same request when I’m providing sensible operation like money transfert or change important data.


What does .NET Framework provide to prevent this attack ? .Net Framework provides us a very interesting technique named AntiForgeryToken. It creates an hidden form field that is validated when the form is submitted. This technique implement the Synchronised Token pattern.

To use this features we need to insert in our form the statement :






This is the code that will create the hidden field with the token.



@using (Html.BeginForm())
    <!-- My form fields -->



When I will submit the form to my ASP.NET MVC controller the token will be send to the controller that will validate this value. To validate this value we need to decor our action method with this attribute :






This is the code that validate the token on the controller :



public ActionResult Edit(int id, FormCollection collection)
      // ... your code


In the past version of framework I could specify some parameter like Salt, Domain and Path but in the framework version 4 and 4.5 all these parameters are obsolete.
About limits of this class, we can use only when the cookies are enabled in the client side. If we use with Post request we can use the attribute to decorate the method but if we want to use with the get request we need to deal manually with the process of validation.

I hope to deal with this argument completely and clearly. I accept all the feedback that you want to send me. Thanks.

Comments (4) -

Loyce Lipson
10/6/2014 2:08:15 PM #

great blog Smile!

10/8/2014 6:28:15 PM #

Great blog! i love it Smile !

plastic surgery Santa Rosa massachusetts
12/1/2014 7:10:32 PM #

This is really interesting, You are a very skilled blogger. I have joined your rss feed and look forward to seeking more of your great post. Also, I've shared your website in my social networks!

12/29/2014 2:54:33 PM #

There are definitely plenty of details like that to take into consideration. That is a great level to carry up. I supply the ideas above as general inspiration but clearly there are questions just like the one you convey up where an important factor will likely be working in trustworthy good faith. I don?t know if greatest practices have emerged around things like that, but I'm positive that your job is clearly recognized as a good game. Both boys and girls really feel the impression of only a moment�s pleasure, for the rest of their lives.

Add comment


<<  February 2018  >>

View posts in large calendar

Page List

    Month List