Click here to Skip to main content
14,022,213 members
Click here to Skip to main content
Add your own
alternative version

Tagged as

Stats

41.5K views
15 bookmarked
Posted 15 Sep 2014
Licenced CPOL

Prevent MVC Application from Cross Site Request Forgery Attacks

Rate this:
Please Sign up or sign in to vote.
First step towards securing MVC applications

Introduction

All web application platforms are potentially vulnerable to CSRF (Cross-Site Request Forgery) attacks. The best way to prevent this attack in MVC application is to use Anti-Forgery token.

Consider a banking website "www.bank.com" contains an action method DeleteUser in User Controller. When a web request comes from a client, the controller fetches the user id from session and deletes the user from database. Consider one hacker created a site "www.songs.com" and it contain one button 'Latest songs'. The button click event calls the "www.bank.com/User/DeleteAccount". A user is logged in "www.bank.com" and he is visiting "www.songs.com" using the same browser with another tab. When he clicking the 'Latest songs' button, his account will delete from the bank database. To avoid these type of unwanted requests from other sites, MVC application developers use Anti-Forgery Token.

Anti-Forgery Token is mainly used in form POST actions to verify the source of the POST data. In this method, for each page request, the web server sends a cookie to the client browser. While posting the data or next request time, the web server uses this cookie for client authentication. If the request is coming from an unauthorized site, the cookie will be null or invalid. By adding [ValidateAntiForgeryToken] above the controller and @Html.AntiForgeryToken() in the view page, we can prevent cross site requests forgery.

Using the Code

The below code illustrates how Anti-Forgery Token Cross Site Request Forgery:

Without Anti-Forgery Token

1. Controller (Controller for deleting the user account)

public class UserController : Controller
   {
       public ActionResult DeleteUser()
       {
           var userId = (int)Session["userId"];
           DeleteUserFromDb(userId);  //Function for deleting the user from Database
          return View();
       }
   }

2. View (Button for deleting the user account in Bank page)

@using (Html.BeginForm("DeleteUser", "User"))
{    
    <input type="submit" value="Delete My Account" />
} 

With Anti-Forgery Token

1. Controller

[ValidateAntiForgeryToken] 
public class UserController : Controller
    {
        public ActionResult DeleteUser()
        {
            var userId = (int)Session["userId"];            
            DeleteUserFromDb(userId);//Function for deleting the user from Database
            return View();
         }
    }

2. View

@using (Html.BeginForm("DeleteUser", "User"))
{  
    @Html.AntiForgeryToken()
    <input type="submit" value="Delete My Account" />
} 

Cross Site Request Error

Server Error in '/' Application.

The required anti-forgery cookie "__RequestVerificationToken" is not present.

Description: An unhandled exception occurred during the execution of the current web request. 
Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Web.Mvc.HttpAntiForgeryException: 
The required anti-forgery cookie "__RequestVerificationToken" is not present.

Points of Interest

You would be wondering that I have mentioned the error and have not mentioned how to resolve that. This is a simple error that arises if you are not using the Antiforgery token attributes at appropriate places. As in, if we specify the [ValidateAntiForgeryToken] in the controller and miss out specifying in the View page posting the form, this gives rise to this exception and also prevents posting the data to the server.

History

I came through this exception after using this valuable asset that MVC provides us with. This is a real handy attribute that is the first stage of security which an MVC developer should have in mind.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Shemeemsha (ഷെമീംഷ)
Software Developer (Junior)
India India
"MVC 70-486" and "OCJP" certified.
Email :- Shemeemsha@gmail.com

You may also be interested in...

Pro

Comments and Discussions

 
Questionmultiple post Pin
trickster_ahmet8-Nov-17 20:36
membertrickster_ahmet8-Nov-17 20:36 
QuestionVery nice Pin
19sanjeev9-Oct-14 18:36
professional19sanjeev9-Oct-14 18:36 
Suggestionsuggestion Pin
paulkth17-Sep-14 9:27
memberpaulkth17-Sep-14 9:27 
GeneralRe: suggestion Pin
Shemeemsha (ഷെമീംഷ)17-Sep-14 19:37
memberShemeemsha (ഷെമീംഷ)17-Sep-14 19:37 
QuestionVery Nice Pin
Suraj Sahoo | Coding Passion17-Sep-14 8:59
professionalSuraj Sahoo | Coding Passion17-Sep-14 8:59 
AnswerRe: Very Nice Pin
Shemeemsha (ഷെമീംഷ)17-Sep-14 19:31
memberShemeemsha (ഷെമീംഷ)17-Sep-14 19:31 
GeneralGood article Pin
Amit Pandey 216-Sep-14 21:20
professionalAmit Pandey 216-Sep-14 21:20 
GeneralRe: Good article Pin
Shemeemsha (ഷെമീംഷ)16-Sep-14 21:40
memberShemeemsha (ഷെമീംഷ)16-Sep-14 21:40 
GeneralMy vote of 5 Pin
Humayun Kabir Mamun16-Sep-14 0:26
memberHumayun Kabir Mamun16-Sep-14 0:26 
GeneralRe: My vote of 5 Pin
Shemeemsha (ഷെമീംഷ)16-Sep-14 4:33
memberShemeemsha (ഷെമീംഷ)16-Sep-14 4:33 
GeneralNice article Pin
suhel_khan16-Sep-14 0:19
professionalsuhel_khan16-Sep-14 0:19 
GeneralRe: Nice article Pin
Shemeemsha (ഷെമീംഷ)16-Sep-14 4:33
memberShemeemsha (ഷെമീംഷ)16-Sep-14 4:33 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web05 | 2.8.190417.4 | Last Updated 16 Sep 2014
Article Copyright 2014 by Shemeemsha (ഷെമീംഷ)
Everything else Copyright © CodeProject, 1999-2019
Layout: fixed | fluid