If you are developer, either fresher or experienced, you have a little knowledge of Anti-Forgery Token in an MVC application. This is a built-in functionality provided by Microsoft. Developers often use it in their application. Everyone knows that this functionality is used for security purposes to stop attacks from hackers. But for a fresher, it is a little bit complicated to understand this concept and its functionality. In this article, I am trying to make it easy to understand this concept for those developers who are in the learning phase and confused with its functionality and purposes.
What is CSRF?
Let’s first understand what CSRF is. It could be defined as below.
C S R F
l l l l
Cross Site Request Forgery
Now, try to read this respectively. When you read these words one by one, then you will understand its meaning. Cross Site Request forgery can be defined as, a forgery request, i.e. a fraud or fake request, which comes on an authenticated site from a cross site and is treated as an authenticated request. This type of attack has been called a CSRF. For avoiding this situation, Microsoft provides us built-in functionality which we use in our application for security purposes, so no one can hack our site or invade some critical information.
Live - Scenario
Suppose, you are logged into your bank account and are going to transfer some money to your friend. A hacker knows that you are logged in and knows the URL of the money transfer submission. Suddenly, you get an email and check it. You see an image and by mistake, you click on that. Then, after a minute or so, you get another message that some amount has been deducted from your account. That image had been sent by the hacker and behind that image a URL has been submitted on your click.
Use of ValidateAntiForgeryToken
Let’s try with a simple example to understand this concept. I do not want to make it too complicated, that’s why I am going to use a template of an MVC application, already available in Visual Studio. We will do this step by step. Let’s start.
Create two MVC applications with default internet template and give those names as CrossSite_RequestForgery and Attack_Application respectively.
Now, open CrossSite_RequestForgery application's Web Config and change the connection string with the one given below and then save.
<add name="DefaultConnection" connectionString="Data Source=local\SQLEXPRESS;Initial Catalog=CSRF;Integrated Security=true;" providerName="Data.SqlClient" />
Now, click on Tools >> NuGet Package Manager, then Package Manager Console
Now, run the below mentioned three commands in Package Manager Console to create the database.
Enable-Migrations add-migration first update-database
Important Notes - I have created database with code first approach because I want to make this example in the way developers work. You can create database manually also. It's your choice.
Now, open Account Controller. Here, you will see a register method whose type is post. Above this method, there should be an attribute available as [ValidateAntiForgeryToken]. Comment this attribute. Now, right click on register and click go to View. There again, you will find an html helper as @Html.AntiForgeryToken() . Comment this one also. Run the application and click on register button. The URL will be open as:
Notes- I know now the question being raised in all readers’ minds is why these two helpers need to be commented, as everyone knows these are used to validate request. Then, I just want to let you all know that this is just because I want to show the difference after and before applying these helpers.
Now, open the second application which is Attack_Application. Then, open Register method of Account Controller. Just change the POST method with the simple one, shown below.
<form method="post"action="http://localhost:52269/Account/Register"> <fieldset> <legend>Registration Form</legend> @Html.LabelFor(m => m.UserName) @Html.TextBoxFor(m => m.UserName) @Html.LabelFor(m => m.Password) @Html.PasswordFor(m => m.Password) @Html.LabelFor(m => m.ConfirmPassword) @Html.PasswordFor(m => m.ConfirmPassword) <input type="submit" value="Register" /> </fieldset> </form>
Now, suppose you are a hacker and you know the URL from where you can register user in CrossSite_RequestForgery application. Now, you created a Forgery site as Attacker_Application and just put the same URL in post method.
Run this application now and fill the register fields and click on register. You will see you are registered in CrossSite_RequestForgery application. If you check the database of CrossSite_RequestForgery application, then you will see and entry you have entered.
Important - Now, open CrossSite_RequestForgery application and comment out the token in Account Controller and register the View. Try to register again with the same process. Then, an error will occur as below.
Server Error in '/' Application.
The required anti-forgery cookie "__RequestVerificationToken" is not present.
This is what the concept says. What we add in View i.e. @Html.AntiForgeryToken() genrates __RequestVerificationToken on load time and [ValidateAntiForgeryToken] available on Controller method. Match this token on post time. If token is the same, then it means this is a valid request.