DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modern Digital Website Security: Prepare to face any form of malicious web activity and enable your sites to optimally serve your customers.

Low-Code Development: Learn the concepts of low code, features + use cases for professional devs, and the low-code implementation process.

E-Commerce Development Essentials: Considering starting or working on an e-commerce business? Learn how to create a backend that scales.

Getting Started With Jenkins: Learn fundamentals that underpin CI/CD, how to create a pipeline, and when and where to use Jenkins.

Related

  • Combining gRPC With Guice
  • 4 Major Steps Of Web Application Penetration Testing
  • Build a Twitter Leaderboard App With Redis and AWS Lambda (Part 2)
  • C# Applications Vulnerability Cheatsheet

Trending

  • Harnessing Integration Platforms To Unscramble the Data Mess
  • Safeguarding Data Exchange: A Comprehensive Overview of API Gateways and Their Imperative Role in Ensuring Robust Security
  • Modernizing Mainframe Applications by Harnessing Specialty Processors and the Power of the Cloud
  • An Executive Architect’s Approach to FinOps: How AI and Automation Streamline Data Management
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Fixing a CSRF Vulnerability

Fixing a CSRF Vulnerability

Want to learn how to fix a cross-site request forgery? Check out this post where we explore how to fix a CSRF vulnerability on your website in this tutorial.

Paul Michaels user avatar by
Paul Michaels
·
Oct. 19, 18 · Tutorial
Like (1)
Save
Tweet
Share
17.7K Views

Join the DZone community and get the full member experience.

Join For Free

One way that your website might be vulnerable to an attack is via a Cross-Site Request Forgery (CSRF or XSRF).

If you’ve ever been logged into a website  — say Twitter, for example — and you open a separate tab and type in a Twitter account, for example, this Twitter feed: https://www.twitter.com/paul_michaels. You’ll notice that when the site opens, it opens already logged in for you, which can be very helpful. Imagine having to log in every single time that you wanted to view a Tweet or a profile.

Now, imagine that, instead of typing that into the browser, you click on the link above – try it! Wha? It didn’t take you to Twitter, but it took you to the home page of this blog? That’s exactly how a CSRF attack would work in practice! If you were already logged into that site, the link could have executed a CSRF attack.

Cross-Site Request Forgery works on the premise that the victim of the attack is actually logged into a given website with valid credentials, and the attacker knows the exact format of a valid request. So, for example, I can take you to my Twitter profile, because the format of that is well known. Nobody, least of all Twitter, wants you to have to mess around with logging in again.

But, what about if you want to actually post a Tweet? Here’s the URL that gets called:

It’s a little difficult to demonstrate, because Twitter operates over HTTPS, so the traffic is encrypted, but the gist is that, even if I managed to create a site that copied this message exactly, the Tweet would not get created. Let’s have a look at replicating such an attack.

Replicating a CSFR Attack

Your first step is to create a standard website — the default MVC template will do. It might also help to demonstrate if you don’t use HTTPS.

Launch the website with F12 tools and make a given request. For example, click the “Contact” link on the default site. Make a note of the URL and the form data for the request:

Leave the app running and logged in.

Now Attack

Create a new web app with the following code:

<h1>Run CSRF Attack on MyApp</h1>
<form action="https://localhost:12312/SendLoadsOfMoney" method="post">
    <input type="hidden" name="values" 
           value="{'BankName': 'Big Bank', 'Amount': '1234.12' }">
    <input type="submit" value="Attack Now!">
</form>


Obviously, don’t use that code – otherwise, you’ll cause over a thousand pounds to be transferred from my account to yours! Replace the URL with whatever the URL from the above site was and the values with whatever values were behind your grey box above. You can use POST or GET or whatever else you like. What you’ll notice is that by clicking your button, it interacts with the site you created in the same way it would if you were on your site. The “SendLoadsOfMoney” is obviously just an example that takes it to the extremes, but the principle is correct.

Fix

To fix this in MVC is very easy.

Add the following:

[ValidateAntiForgeryToken]


If you add this to the controller method, you should start seeing this error:

The required anti-forgery cookie “__RequestVerificationToken” is not present.

Your calling code might look like this:

<form action="Test" method="post">
    <input type="submit" value="Test3">
</form>


The next step is to add a call into the client; for example:

<form action="Test" method="post">
    @Html.AntiForgeryToken()
    <input type="submit" value="Test3">
</form>


So far, so good. This works for the Asp.Net Mvc Core and framework, but not for ApiControllers! The decorator [ValidateAntiForgeryToken] has no effect on an ApiController out of the box (and worse, you’ll never know it without launching a specific attack on your ApiController). So, what can you do?

One option is to implement a custom token as described here. I would treat this as a specific case for ApiControllers only, though.

References

https://github.com/zaproxy/zaproxy/wiki/Downloads

https://www.owasp.org/index.php/OWASP_Testing_Project

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.1

https://www.devexpress.com/Support/Center/Question/Details/KA18920/how-to-use-antiforgerytoken-during-devexpress-callbacks

twitter Vulnerability Requests ASP.NET MVC app Links Profile (engineering)

Published at DZone with permission of Paul Michaels, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Combining gRPC With Guice
  • 4 Major Steps Of Web Application Penetration Testing
  • Build a Twitter Leaderboard App With Redis and AWS Lambda (Part 2)
  • C# Applications Vulnerability Cheatsheet

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: