Preventing CSRF Attacks In ASP.NET Core 2.0

Tahir Naushad
Jan 12, 2018
2.3k
0
4
Article

Problem

How to prevent Cross-Site Request Forgery attacks in ASP.NET Core.

Solution

Create an empty project and update Startup to add middleware and services for MVC,

public class Startup
{
public void ConfigureServices(
IServiceCollection services)
{
services.AddSingleton<IMovieService, MovieService>();
services.AddMvc();
}
public void Configure(
IApplicationBuilder app,
IHostingEnvironment env)
{
app.UseMvcWithDefaultRoute();
}
}

Create a model and service,

public class Movie
{
public string Title { get; set; }
}
public interface IMovieService
{
List<Movie> GetMovies();
void AddMovie(Movie item);
}

Note - The implementation of the service doesn’t matter here but it can be getting data from EF etc. In the sample, I just stored data in-memory.

Add a Controller.

public class HomeController : Controller
{
private readonly IMovieService service;
public HomeController(IMovieService service)
{
this.service = service;
}
public IActionResult Index()
{
var model = this.service.GetMovies();
return View(model);
}
public IActionResult Create()
{
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Save(Movie model)
{
this.service.AddMovie(model);
return RedirectToAction("Index");
}
}

Add an Index View.

@using Fiver.Security.Csrf.Models.Home
@model List<Movie>
<strong>Home</strong>
<a asp-action="Create">Create</a>
<ul>
@foreach (var item in Model)
{
<li>@item.Title</li>
}
</ul>

Add a Create view.

@using Fiver.Security.Csrf.Models.Home
@model Movie
<strong>Create</strong>
<form asp-action="Save" method="post">
<label asp-for="Title"></label>
<input asp-for="Title" /> <br />
<br />
<button type="submit">Save</button><br />
</form>

Run and browse to Create view and observe its source.

<strong>Create</strong>
<form method="post" action="/Home/Save">
<label for="Title">Title</label>
<input type="text" id="Title" name="Title" value="" /> <br />
<br />
<button type="submit">Save</button><br />
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8N-xGVhsz-FFuPUED-HLkPE1W4kY7t4IBowqElti5j6zVsXpONu4D8nZ6wdM50tq-X-Y-hA-gPBiXcxzpBmhgxGmzcJSX6Aopc239-js0cPwQv0jZK-l5pY8Z9EZHFC_LCdp2VO3pCp1PKy8D_-T_C8" />
</form>

Also, note the cookie added for anti-forgery.

Add a new entry and observe the request in fiddler.

Discussion

OWASP 2013 classifies Cross-Site Request Forgery (CSRF) as one of the top 10 risks and it is present if an attacker can force the victim's browser to send a forged request to the web application which considers it a legitimate request.

ASP.NET Core provides an easy to use mechanism to prevent such attacks by

Creating a cookie with an encrypted token.
Emitting a hidden form element (__RequestVerificationToken) with an encrypted token.

The cookie and form field will be sent to server on subsequent requests, as observed in the above fiddler screenshot. Server will reject the request if any of the two (cookie or form field) is missing, e.g. - excluding the form field returns a 400 (Bad Request).

Server will also throw an exception if any of the two (cookie or form field) is modified, e.g. - below, I changed the value of form field.

How it works

In order to add the hidden tokens, we just need to use the form tag and apply [ValidateAntiForgeryToken] attribute to our controller action. Yes, that’s it.

You could also apply the [AutoValidateAntiforgeryToken] attribute on your controller to enable the forgery token validation for all the unsafe actions (e.g. POST and PUT) on your controller