7

currently i'm working on ASP .NET MVC 4 application. We are using the provided [ValidateAntiForgeryToken] and the corresponding @Html.AntiForgeryToken() to generate the hidden field in our forms which are submitted using POST.

So far the mechanism seems to be working properly because if I don't provided the token as input hidden field to the target Action annotated with [ValidateAntiForgeryToken] an error is raised as expected.

However i found really strange that if i captured several generated token using Firebug or Chrome inspector, copy them into notepad and then go to a different page which also uses the AntiForgeryToken and basically replace the hidden field with any of the previous token generated, an error is not raised. I was expecting to always have a 1:1 relation (Page Hidden Field - ValidationAtServer], since if someone is able to obtain that value, will be able to forge any request to any form in the application which need the AntiForgeryToken

I was under the impression that once a token was generated it should not be possible to reuse the same token over an over, I see this a security flaw in the Framework itself.

If someone can provide more insight will be greatly appreciate it.

ssilas777
  • 9,672
  • 4
  • 45
  • 68
jcgarciam
  • 392
  • 5
  • 12

2 Answers2

5

AntiForgeryToken is session base, so that each user has the same token but another user will have a different token. This descussion may be usefull for you: AntiForgeryToken changes per request

Community
  • 1
  • 1
Andrey Gubal
  • 3,481
  • 2
  • 18
  • 21
  • Andrey i had the feeling, but how come i can do the following. Grab few AntiforgeryToken from the HTML, shutdown IIS Express, closes the browser and then after starting up the project i can reuse the same ForgeryToken that i previously grabbed. – jcgarciam Aug 12 '13 at 12:37
1

It's normal behaviour, because it's supposed that antiforgery token isn't compromised. If an atacker was able to compromise token, that means that atacker already has opportunity to compromise any other tokes, that would be generated. E.g. man in middle attacks. So basically there is no need to gereate Antiforgery token per each request, and it will allow you to use already generated one for Ajax requests on current page.

Johnny_D
  • 4,592
  • 3
  • 33
  • 63