Cross
Site Request Forgery (CSRF) is also known as one click attack or
session riding. It is a type of attack on the web application or on the
website where a malicious user can insert or update data on behalf of
the logged in user of the application by giving him a link that is not
of the victim website but attackers own website.
In
this type of attack the victim website user doesn't know that by
clicking on malicious user link he is helping him to update malicious
data into his website.
Prevent CSRF Attack MVC and AJAX
Anti-Forgery Tokens in ASP.NET MVC
Prevent
CSRF attacks; ASP.NET MVC uses anti-forgery tokens, also called request
verification tokens. anti-forgery tokens Generates a hidden form field
(anti-forgery token) that is validated when the form is submitted. The
following example is given below
To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper method:
@using (Html.BeginForm("Home", " SubmitForm ")) {
@Html.AntiForgeryToken()
}
In controller
[ValidateAntiForgeryToken]
public ViewResult SubmitForm()
{
// ... etc
}
In asp.net we have need to Check that incoming requests have a Referer
header referencing your domain. This will stop requests unwittingly
submitted from a third-party domain. In jquery ajax request we have
generate long random string token and save against the user. Whan ajax
request perfrom we have to submit that token in. At last server side we
have to check that the token matches the one that you have saved for the
user
Read full tutorial from asp.net site
No comments:
Post a Comment