Click here to Skip to main content
15,947,389 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
Cross site request forgery attack in aspx page vs MVC ?

As per my understanding CSRF attack is a client side attack which will force the user to run piece of script.If am doing server side actions on my button click in aspx page, how do attackers can run this script? that is if my site is doing some fund transfer on asp button click , how attackers can run this CSRF scripts on button click ? if am handling this request using GET and POST method i think attackers can do CSRF here but how do with asp button click event.?
In mvc we are doing button submit so it may be possible i think.
Could any one explain this ?
Posted
Comments
Kornfeld Eliyahu Peter 19-Apr-15 3:47am    
Check this: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

1 solution

CSRF attacks[^] are attacks in which malicious websites use your API / service with their own data. If the client session is valid, this 'malicious' request will go through.

Lets assume a good site A and a bad site B.

User opens site A on the browser and does some transaction.
While this window is still open, user A visits site B.
Site B has some 'nasty' JavaScript which posts a request to site A.
Since session for A is still valid in the browser, site B could gain access to site A's API and do whatever they want.

To avoid this kind of forgery attacks, a token can be used.

Some information on how to prevent these attacks -
http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages[^]
Hack Proof Your ASP.NET Application Part 3 (Cross Site Request Forgery)[^]
 
Share this answer
 
v2

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900