What does '[ValidateAntiForgeryToken]' truly mean?

Question

First of all I'm still a starter in MVC4, after noticing many actions are decorated with [ValidateAntiForgeryToken], I googled that, but still kind of confused.

Can anybody explain that concept using a simplest example?

Andrey Gubal · Accepted Answer · 2017-05-16T13:08:29.593

18

In simple words it prevents external post requests. So, nobody can use your methods from other sites.

How it works. You are having AntiForgeryToken in your Html.BeginForm in View.

@using (Html.BeginForm()){

@Html.AntiForgeryToken()

//** fields of form

}

When you submit form, you sends data to your Controller method. If method has ValidateAntiForgeryToken attribute, it validates if data you are sending has your ForgeryToken.

[ValidateAntiForgeryToken]
public ViewResult Update()
{
}

ForgeryToken is generated once per session.

edited May 16 '17 at 13:08

answered Sep 10 '13 at 15:05

Andrey Gubal

3,481
2
18
21

1

Thanks, but what's the drawback of taking request from external sites? – LifeScript Sep 10 '13 at 15:31
1

@LifeScript Thay can create any data instead of you. Or modify your data as they wish – Andrey Gubal Sep 10 '13 at 15:36
Very Good point! Thank you for helping me! You own the points! – LifeScript Sep 10 '13 at 15:58
"In simple words..." <- Thank you. I'm sick of reading technical answers; simple answers is suffice, especially when you're learning. – daCoda Apr 10 '15 at 04:18
1

Did you mean "prevents external *post* requests"? – Jakub Konecki Jul 08 '16 at 07:46
AndreyGubal, please see @JakubKonecki 's comment – bvgheluwe May 15 '17 at 12:43

score 6 · Answer 2 · edited May 23 '17 at 11:47

Lots of info on the AntiForgeryToken here: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

This is to prevent a Cross-Site Request Forgery (CSRF). It's pretty standard behavior to click 'Save' sumbit a form and perform some action on the server, i.e. save a user's details. How do you know the user submitting the form is the user they claim to be? In most cases you'd use some cookie or windows based auth.

What if an attacker lures you to a site which submits exactly the same form in a little hidden IFRAME? Your cookies get submitted intact and the server doesn't see the request as any different to a legit request. (As gmail has discovered: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/)

The anti-forgery token prevents this form of attack by creating a additional cookie token everytime a page is generated. The token is both in the form and the cookie, if the form and cookie don't match we have a CSRF attack (as the attacker wouldn't be able to read the anti-forgery token using the attack described above).

And what does the salt do, from the article above:

Salt is just an arbitrary string. A different salt value means a different anti-forgery token will be generated. This means that even if an attacker manages to get hold of a valid token somehow, they can’t reuse it in other parts of the application where a different salt value is required.

How is the token generated? Download the source, and have a look at the AntiForgeryDataSerializer, AntiForgeryData classes.This has a duplicate.

the blog.codeville.net link is dead – MetaGuru Sep 05 '17 at 15:35 — MetaGuru, Sep 05 '17 at 15:35

What does '[ValidateAntiForgeryToken]' truly mean?

2 Answers2