Introduction
At whatever point we chip away at our application we constrained to our undertaking extension and its business rationales to accomplish our task time conveyance. We couldn't concentrate such a great amount to our security reasons and later after sending of our venture is hacked through cross-site demand imitation. .Net Framework has introduced a new security feature to protect our MVC projects data using anti forgery token whenever we submit data through our MVC application data. Cross-site scripting (XSS) is most dangerous issue on web (internet application). I have already explained a MVC very known error Unexpected if keyword after @ character.How it works to prevent CSRF request steps provided?
Here is defining AntiForgeryToken() in MVC View and controller to protect our website from CSRF attack. Here is shown post request with anti forgery token because anti forgery token works only with Post method not GET post. The core MVC packages already included HTML helpers, which provides facility to avoid potential CSRF attack.Namespace
(System.Web.Mvc)
@using (Html.BeginForm("Checkforanti", "Test", FormMethod.Post))
{
@Html.AntiForgeryToken()
<input type="submit" value="Create" />
}
Validate in Controller of AntiForgeryToken()
We need to write necessary code in MVC controller to protect our sensitive data from CSRF request.MVC controller Code samples has been illustrated below. We need to add keyword ValidateAntiForgeryToken() in our Post method to avoid potential harmful CSRF request.
[HttpPost]
[ValidateAntiForgeryToken()]
public ActionResult Checkforanti(string _str)
{
return View();
}
How render AntiForgeryToken() in Browser ?It will display in input hidden type as showing below how it looks actually:
<input name="__RequestVerificationToken" type="hidden" value="XBkRoc3uM9fXmGLO-vfrWSz8axwgWgkNJN-N4yGtMe6n0WCTc0ABKG71InJXPtkeMfTJGwUI307BFRZ96VzhxmG1gOCaIe4TI7qmXJ1H8_k1" />
Error Description
The required anti-forgery form field "__RequestVerificationToken" is not present.If we comment AntiForgeryToken in MVC view and authorizing AntiForgeryToken in MVC Controller, then it will throw very known error The required anti-forgery form field "__RequestVerificationToken" is not present.
Drawbacks of the Anti-Forgery helpers
- All of Sovereign users must accept cookies to protect your website and make your website more secure until you can't accept cookie your website is not under protection.
- AntiForgeryToken() works only for POST method not serving for GET method, so it is not protecting our data while retrieving from our database.
- It is very easy to invade into your website through XSS holes. It is very easy to read your Anti Forgery Token while your domain have XSS holes. It is very required your website should be XSS holes free.
- You need to protect your cookies in browser to avoid attacks on sensitive information.
Post A Comment:
0 comments: