3

I have one question about Mvc antiforgerytoken

In mvc razor page, we can place code: @Html.AntiForgeryToken() inside the form, it will generate a token, this token will be fill into a hidden input field like:

 <input name="__RequestVerificationToken" type="hidden"
 value="6I2CsrmAhiDlHewQ4q4khXAENgaa66kDiGwHgaN5DV0f4W2_c2nyVA-q2OCingcgKLPNhSSeyuS_WaTmAGzpo3F5gUq9Wx89iXH1ujq6ZwGG5rO8v_F-4hYj5gEVZ1-E-DpxkcO7zIjMUKVH1bjPMo7Ot3UJHLl5r9isfCLyiOA1">

Question: I can easily create a request to download this mvc razor page to get token from "__RequestVerificationToken" field, then post bad data to attack specify server. Is this means antiforgery token function also not safe???

Phil3992
  • 1,059
  • 6
  • 21
  • 45
Dragon
  • 435
  • 2
  • 6
  • 12

2 Answers2

1

The AntiForgeryToken() is meant to ensure that cross-site request forgery attacks (CSRFs) can't succeed, and the token does that: if the request to the form's target came from another site, it would not have the correct token, and so the request would be immediately rejected. If the other site has to first contact your site to get the token, then it might as well have been going through your site to begin with.

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
dlev
  • 48,024
  • 5
  • 125
  • 132
  • It's not the only validation. Users can turn off sending referrer headers – Ufuk Hacıoğulları Jun 24 '14 at 21:05
  • Yes, i mean other site has to first download page from my site, then he will got the correct token, submit his bad data with the correct token, i did a test, copy the token from my site, then put this token into a html page, with one submit button and one hidden value, and it can be submit successful. – Dragon Jun 24 '14 at 21:07
  • @Dragon The corresponding cookie (as mentioned in Ufuk's answer) is supposed to prevent that. – dlev Jun 24 '14 at 21:08
  • @Dragon Keep in mind that you will create the cookie if you display the form before. Use private browsing to display the form. – Ufuk Hacıoğulları Jun 24 '14 at 21:11
  • @UfukHacıoğulları Sorry, i'm a little confuse, my question: 1.Use console application, create a request to download page1 from site1 2.Get token from the result of page1 3. Submit data to the action of page1 with token. – Dragon Jun 24 '14 at 21:31
  • and i did not see cookie been created after i visit my page – Dragon Jun 24 '14 at 21:35
  • @Dragon Do you have [ValidateAntiForgeryTokenAttribute](http://stackoverflow.com/questions/13621934/validateantiforgerytoken-purpose-explanation-and-example) on your action method that responds to POST request? – Ufuk Hacıoğulları Jun 24 '14 at 21:37
1

It's safe. Placing an anti forgery token to the form also creates a cookie named __RequestVerificationToken with the same token. This cookie is also validated to verify the request. Since the attacker can't add cookies to application domain, it can't pass this validation.

Steve Sanderson has a nice blog post that explains it in detail.

Ufuk Hacıoğulları
  • 37,978
  • 12
  • 114
  • 156
  • the post says:This is an authorization filter that checks that: The incoming request has a cookie called __RequestVerificationToken The incoming request has a Request.Form entry called __RequestVerificationToken These cookie and Request.Form values match. But actually, i can submit the data even i did not have cookie – Dragon Jun 24 '14 at 21:39
  • ---- you can see i got the token , and just put into my html page, submit to other site, and it's working. – Dragon Jun 24 '14 at 21:41
  • @Dragon Can you show Text action method in HomeController? – Ufuk Hacıoğulları Jun 24 '14 at 21:43
  • [HttpPost] [ValidateAntiForgeryToken] public ActionResult Text() { ViewBag.Notice = Request.Form["Notice"].ToString(); return View(); } – Dragon Jun 24 '14 at 21:45
  • @Dragon You accepted the answer. Does that mean you identified the problem? The code you posted should throw an exception when the data is posted. – Ufuk Hacıoğulları Jun 24 '14 at 21:47
  • Not totally, the problem now is that while i'm testing two different page from two domain in the same browser, Page1(from Domain1) can submit data with token to Page2(from Domain2), but it won't working if i open them with two different browser, there must be something relate to cookie, but i can not solve it now – Dragon Jun 24 '14 at 21:57
  • 1
    It seems they are sharing cookies within one browser, i can see cookie '__RequestVerificationToken' in Domain2, but not in Domain1(contains attack page) – Dragon Jun 24 '14 at 22:00
  • I would like to share a post with you, it's very nice http://adam.kahtava.com/journal/2009/11/25/what-are-anti-cross-site-request-forgery-tokens-and-what-are-they-good-for/ – Dragon Jun 24 '14 at 22:47
  • @Dragon That explains it I guess. I thought your console app was only doing the parsing and you were posting the data from the browser. You may want to take a look [this question](http://stackoverflow.com/q/33969/205859) for request throttling. – Ufuk Hacıoğulları Jun 24 '14 at 23:00