Thursday, March 12, 2015

Cross Site Request Forgery in MVC

In today's blog post I am going to talk about an important security attack in MVC application i.e. Cross Site Request Forgery (CSRF).

Cross Site Request Forgery

This is an attack whereby the victim is fooled in to taking some unwanted action on his/ her behalf. In order to illustrate the attack, let me first explain how a browser works.

Suppose, we login to our bank account. When the login page appears, we enter our username and password and we get some session information from the server. The browser then stores the session information in a cookie. For the subsequent requests to the same site, browser automatically sends the session info cookie with the request which identifies us. So that we don't have to put our username and password multiple times.

Now, let's see how the attacker can use this browser behavior to facilitate the CSRF attack. Suppose there is a widely used forum or a website which allows people to post links and the attacker has posted the following link at some place:

http://myfakebank.com/transfer?usd=10000&targetaccountnum=123456789

The aim of the attacker is to make the victim click this link while he is logged in to his/ her bank account. And voila, the attacker gets the amount transferred into the account number mentioned. So next time if you browse the web with your bank account logged in, beware! ;)

Usually, the attacker can apply some social engineering skills to make the victim click the link but that's not the point. The point is that the victim has been fooled into some action which he/ she never intended. This is Cross-Site Request Forgery attack.

So here since the user is logged in to the myfakebank website and the request is triggered, the victim transfers 10000 dollars from his/her account without his/her intention.

How to Prevent?

It would be injustice to everyone if we just discuss the attack and do not discuss the ways to prevent it. ASP.NET MVC provides an easy way to avoid this i.e. make sure that the user has submitted the data willingly. This can be accomplished by using a simple hidden value on the form whenever the user requests a form and then on form submit just match the value previously sent. If the values match then it's indeed the correct user who submitted the form otherwise it can be considered a cross site request forgery attack.

This hidden value used to prevent CSRF is called Anti Forgery token. In order to use this, we need to put it on our View like this:

@Html.AntiForgeryToken()

This puts an encrypted value in the form like this:

<input type="hidden" value="encrypted value">

And then, on POST controller action, we can validate it like this:

[ValidateAntiforgeryToken]
public ActionResult Transfer(…)

This anti-forgery token can prevent most of the CSRF attacks and should always be used.

Conclusion

Today we discussed what cross site request forgery attack is and how it can be harmful. We also discussed how anti-forgery token works in ASP.NET MVC and how it prevents CSRF attack.
For future updates to my weekly blog, please subscribe to the blog and follow me on Twitter. Until then Happy Coding :)


References:
"Professional ASP.NET MVC 5"
  

1 comment: