CSRF issue in Form.method (asp.net SPA)

Question

I am getting CSRF issue when scanned with HP fortify .

jQuery.fn.downloadContentUsingServerEcho = function (fileName, contentType, contentEncoding, content) {
        //// test
        //$.ajax({
        //    type: 'POST',
        //    url: 'download/' + fileName,
        //    contentType: 'application/json; charset=utf-8',
        //    data: JSON.stringify({ contentType: contentType, contentEncoding: contentEncoding, content: content })
        //});

        var form = document.createElement('form');
        form.id = 'downloadForm';
       form.method = 'post';
        form.target = 'downloadTarget';
        form.action = 'download/' + fileName;

        var data = {
            contentType: contentType,
            contentEncoding: contentEncoding,
            content: content
        };

        for (var propName in data) {
            if (!data.hasOwnProperty(propName)) { continue; }
            var propValue = data[propName];
            var input = document.createElement('textarea');
            input.name = propName;
            input.value = propValue;
            form.appendChild(input);
        }

        document.body.appendChild(form);
        form.submit();

        document.body.removeChild(form);
    };

I am getting in this form.method = 'post';

Appreciate your help to fix this issue.

Thanks,

bk

[Please read and apply](http://meta.stackoverflow.com/questions/251361/how-do-i-format-my-code-blocks). — Heretic Monkey, Dec 01 '16 at 18:48

score 0 · Answer 1 · answered Dec 01 '16 at 18:25

0

If you are asking how do you prevent against CSRF attacks, OWASP has some good information on it.

OWASP - Cross Site Request Forgery (CSRF)

Note: It is also hard to read what you are trying to do in your code, you should format it so we can see what you are trying to accomplish.

answered Dec 01 '16 at 18:25

SBurris

7,378
5
28
36

Hello @SBurris .. I have formatted the code . I have checked about CSRF but I am unable to resolve this . – Bala Dec 14 '16 at 07:08

score 0 · Answer 2 · edited May 23 '17 at 11:53

I don't quite understand what your issue is. If HP fortify is saying that you aren't using a CSRF token to secure your AJAX call then you need to generate a token and pass it up to the server.

For implementation in ASP.NET Microsoft gives a good tutorial on this: https://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages

To automatically add the CSRF token to all ajax post calls, you can simply add a prefilter. include antiforgerytoken in ajax post ASP.NET MVC

Note: Some frameworks such as Telerik require the CSRF token to be in options.data instead of just the header.

CSRF issue in Form.method (asp.net SPA)

2 Answers2