Cross Site Request Forgery

XSRF is an attack where a hacker makes malicious requests to a web app, when the user of the website is already authenticated. This can happen when a website uses cookies to persist the token of an trusted website, user. A pure SPA should not use cookies to as it is hard to protect against this. With a server side rendered application, like ASP.NET Core MVC, anti-forgery cookies can be used to protect against this, which makes it safer, when using cookies.

  • public void ConfigureServices(IServiceCollection services)
  • {
  • services.AddAntiforgery(options => options.HeaderName = “X-XSRF-TOKEN”);
  • services.AddMvc();
  • }

The XSRF-TOKEN cookie is added to the response of the HTTP request. The cookie is a secure cookie so this is only sent with HTTPS and not HTTP. All HTTP (Not HTTPS) requests will fail and return a 400 response. The cookie is created and added each time a new server url is called, but not for an API call.

  • app.Use(async (context, next) =>
  • {
  • string path = context.Request.Path.Value;
  • if (path != null && !path.ToLower().Contains(“/api”))
  • {
  • // XSRF-TOKEN used by angular in the $http if provided
  • var tokens = antiforgery.GetAndStoreTokens(context);
  • context.Response.Cookies.Append(“XSRF-TOKEN”,
  • tokens.RequestToken, new CookieOptions {
  • HttpOnly = false,
  • Secure = true
  • }
  • );
  • }
  • await next();
  • });

The API uses the ValidateAntiForgeryToken attribute to check if the request contains the correct value for the XSRF-TOKEN cookie. If this is incorrect, or not sent, the request is rejected with a 400 response. The attribute is required when data is changed. HTTP GET requests should not require this attribute.

  • [HttpPut]
  • [ValidateAntiForgeryToken]
  • [Route(“{id:int}”)]
  • public IActionResult Update(int id, [FromBody]Thing thing)
  • {
  • return Ok(updatedThing);
  • }

You can check the cookies in the chrome browser.

About the author

admin administrator

Leave a Reply