17

In ASP.NET MVC 1.0, there is a new feature for handling cross site request forgery security problem:

 <%= Html.AntiForgeryToken() %>
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
    // ... etc
}

I found the token generated in html form keep changing every time a new form is rendered.

I want to know how these token is generated? And when use some software to scan this site, it will report another security problem: Session fixed. Why? Since the token keep changed, how can this problem come ?

And there is another function, that is "salt" for the antiForgeryToken, but I really know what this used for, even through we don't use "salt" to generate the token, the token will changes all the time, so why have such function?

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
MemoryLeak
  • 7,322
  • 23
  • 90
  • 133

2 Answers2

21

Lots of info on the AntiForgeryToken here: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

This is to prevent a Cross-Site Request Forgery (CSRF). It's pretty standard behavior to click 'Save' sumbit a form and perform some action on the server, i.e. save a user's details. How do you know the user submitting the form is the user they claim to be? In most cases you'd use some cookie or windows based auth.

What if an attacker lures you to a site which submits exactly the same form in a little hidden IFRAME? Your cookies get submitted intact and the server doesn't see the request as any different to a legit request. (As gmail has discovered: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/)

The anti-forgery token prevents this form of attack by creating a additional cookie token everytime a page is generated. The token is both in the form and the cookie, if the form and cookie don't match we have a CSRF attack (as the attacker wouldn't be able to read the anti-forgery token using the attack described above).

And what does the salt do, from the article above:

Salt is just an arbitrary string. A different salt value means a different anti-forgery token will be generated. This means that even if an attacker manages to get hold of a valid token somehow, they can’t reuse it in other parts of the application where a different salt value is required.

Update: How is the token generated? Download the source, and have a look at the AntiForgeryDataSerializer, AntiForgeryData classes.

russau
  • 8,928
  • 6
  • 39
  • 49
  • Actually I know all of this, did you see my problem ? I come from the blog just now. – MemoryLeak Sep 10 '09 at 00:19
  • Which problem "Session fixed", or the question about "salt"? "Session fixed" I'm not familiar with, what are you using to scan the site? – russau Sep 10 '09 at 00:22
  • thanks, russau, but i just don't agree on the blog post, then i ask a question here.... – MemoryLeak Sep 10 '09 at 02:14
  • i've updated my answer with a link to the source.. I had a quick read thru it but couldn't immediately work out exactly how they are creating the token. – russau Sep 10 '09 at 04:59
  • I don't think the cookie token is generated every page load, rather for every new user session. – Scott Dec 03 '12 at 15:06
1

You've ask a few unrelated problems:

  1. I don't know why your security software is reporting 'session fixed'. Try reading the documentation that comes with the report
  2. The anti-forgery token:

This is used (presumably) to validate that each request is valid. So consider that someone tries to present a link to the page ?x=1, if the token is not also passed, the request will be rejected. Further, it (may) prevent duplicate posting of the same item. If you click 'post' twice, the token will likely change (each request), and this case will be detected via something like:

Session["nextToken"] = token;
WriteToken(token);

...

if( !Request["nextToken"] == Session["nextToken"] ){
    ...
}

// note: order in code is slightly different, you must take the token
// before regenerating it, obviously

I think the term for this (the attack it protects) is called "CSRF" (Cross-Site Request Forgery), these days.

Noon Silk
  • 54,084
  • 6
  • 88
  • 105