0

I had some legacy code under ASP MVC 3 (what is absolutely broke all theoretical ASP MVC ideas). And as I understated this code were possible to hack, via send fake postback to controller ? I just wonder how it possible to hack ValidateAntiForgeryToken and Session fake session. What is software people can use for it ?

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ProcessSignUpRequest()
{
    string message = "";
    string username = Request.Form["txtusername"];
    string email = Request.Form["txtemail"];
    string name = Request.Form["txtusername"];
    string password = Request.Form["txtoldpassword"];
    string txtCaptcha = Request.Form["txtcaptcha"];
    string startTime = Request.Form["startTime"];
    string userphone = Request.Form["phone"];

    try
    {
        if (txtCaptcha != (string)Session[Constants.CaptchaCodeSessionKey])
        {
            message = "captcha is wrong";
            return GetStandardJsonActionResult(false, message);
        }

        // some code about adding user to database

        return GetStandardJsonActionResult(true, message);
    }
    catch (Exception ex)
    {
        return GetStandardJsonActionResult(false, "Not possible to create user. " + username);
    }
}
AstroCB
  • 12,337
  • 20
  • 57
  • 73
Arbejdsglæde
  • 13,670
  • 26
  • 78
  • 144
  • 1
    Here is a good [answer](http://stackoverflow.com/questions/13621934/validateantiforgerytoken-purpose-explanation-and-example) on AntiForgeryToken. – lbrahim May 27 '14 at 10:21

1 Answers1

1

AntiForgeryToken will create a hidden field inside your form and put a value in their. During post, if value won't match what MVC generate, your request will be cancelled. It just confirm that post came from your website. Search for CSRF (Cross-site request forgery).

Captcha will "verify" that a "person" filled your form, and it's not a robot/crawler.

Thiago Custodio
  • 17,332
  • 6
  • 45
  • 90