1

I have one question about the use of AntiForgeryToken provided by MVC 3.

I will try to explain my idea.

The basic idea is an Ajax button to "mark as favorite" one (or more) item from a Catalog. So I have a grid with the entire list of items, and each of this items has a button to make as favorite.

Well... my idea implementation is this:

When the user push the favorite button, this send a GET request to the server to retrieve a partialView with AntiForgeryToken (all of this is transparent to the user because happen on the background).

So when the Form is loaded the site automatically submit (POST) the data (the id of the item and the antiforgerytoken) to mark this item as favorite (again... this happen in background, so the user never see anything).

This is the idea over request/response on Firebug:

GET http://localhost/User/Favorite/Mark?url=156

Response from GET:

<form action="/User/Favorite/Mark?url=156" method="post">
<input name="__RequestVerificationToken" type="hidden" value="WVXhVJJ3VNB8HrZQ6CZBPt35z2zvDjaHmlYWrnCvJoDUgeWMEGUGwm3clCD27vFAsxbs0upiRdVdo9Wsus Z7B6SU NQgV3iSYTUtE/EREWqT1Is/kwNZpdNf/3Pi7fD572pO89lTdYEjL0OlzmPJ5tmRQEUq/oMbuj0MnmPZskykGz6HzRmgC4Ez2bBoCp4" />
</form>

-----------------------------

Then Submit the form with the AntiForgeryToken:

POST http://localhost/User/Favorite/Mark?url=156

__RequestVerificationToke...    WVXhVJJ3VNB8HrZQ6CZBPt35z2zvDjaHmlYWrnCvJoDUgeWMEGUGwm3clCD27vFAsxbs0upiRdVdo9Wsus Z7B6SU NQgV3iSYTUtE/EREWqT1Is/kwNZpdNf/3Pi7fD572pO89lTdYEjL0OlzmPJ5tmRQEUq/oMbuj0MnmPZskykGz6HzRmgC4Ez2bBoCp4

My question is simple. This is a good practice to get a AntiForgeryToken for an Ajax request? or is a bad idea?

I have this question because I don't know if this idea can make a bug hole to exploit on my site in this specific actions.

Thanks

tereško
  • 58,060
  • 25
  • 98
  • 150
HolloW
  • 720
  • 11
  • 21

1 Answers1

0

Why don't you just POST a request to the server (using AJAX) when the user hits 'favorite' and use the AntiForgery token you already have in the page? Your approach is needlessly over-complicated.

See Problems implementing ValidatingAntiForgeryToken attribute for Web API with MVC 4 RC and related links for how to get the token into your Ajax request.

Community
  • 1
  • 1
Ian Mercer
  • 38,490
  • 8
  • 97
  • 133
  • I did not change any state with the GET request. 1) Request the PartialView containing the form with AntiForgeryToken 2) Send the form with the token to make the change on the server. – HolloW Jan 31 '13 at 01:40
  • Yep I know this is a complicated approach. But the grid is loaded by Ajax, so the button to mark as favorite is not more like than a Route to get the form and then submit it. I don't have the antiForgeryToken when the grid is re/loaded. Thanks – HolloW Jan 31 '13 at 19:11
  • In the linked example, `$token = $('input[name=""__RequestVerificationToken""]').val();` finds the token on the page on page load and stores it where any javascript code can access it and use it in requests. You *do* have the token. – Ian Mercer Jan 31 '13 at 19:40
  • I try to understand your approach... but I'm confused. When the View is totally loaded, the grid is filled with an Ajax JSON request. So, I don't have any antiForgeryToken generated at the moment. Are you trying to tell me that I just need to create a AntiForgeryToken in the View and then use it on each favorite request ? This is why I do not understand your idea. The concept of AntiForgeryToken is create a "AntiForgeryToken input" on each form with different value. Right? Thanks for your time. – HolloW Feb 01 '13 at 03:12
  • You just need a token *somewhere* on the page, see http://stackoverflow.com/questions/4074199/jquery-ajax-calls-and-the-html-antiforgerytoken/4074289#4074289 You can do AJAX with NO form on the page, it doesn't have to be one per form, it's not a 'single use' token. – Ian Mercer Feb 01 '13 at 05:58
  • Mmm that's new for me. Why the idea of creating a AntiForgeryToken and then use it with any kind of action? If an attacker has the token value can POST on the complete list of actions from another site. Because of this, I always thought you needed a antiForgery for each form. If you can explain to me in more detail or send me a link where I can read about this would be very useful. Thanks for your time. – HolloW Feb 01 '13 at 21:41
  • Read Haack's two posts on `ValidateAntiForgeryToken` and the comments under them. An attacker can load the page but they will not have the matching cookie to submit with the form. Having several tokens is no more secure than one (well maybe a tiny bit more secure if you salt each one differently). – Ian Mercer Feb 01 '13 at 22:15