This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming .Net/C # mvc ajax with AntiForgeryToken to prevent CSRF attacks
View: 37886|Reply: 4

[ASP.NET] mvc ajax with AntiForgeryToken to prevent CSRF attacks

[Copy link]
Posted on 11/2/2017 10:06:29 AM | | | |
It is often seen that the ajax post data to the server in the project is not marked with anti-counterfeiting tags, causing CSRF attacks, and it is very easy to add anti-counterfeiting marks to Asp.net MVC by adding Html.AntiForgeryToken() to the form.
Html.AntiForgeryToken() generates a pair of encrypted strings that are stored in cookies and input. We also bring AntiForgeryToken in the ajax post
Html.AntiForgeryToken() in MVC is a measure to prevent cross-site request forgery (CSRF: Cross-site request forgery) attacks, which is different from XSS (XSS is also known as CSS: Cross-Site-Script), XSS generally uses trusted users in the site to insert malicious script code into the network to attack. CSRF, on the other hand, is a pseudo-trusted user attacking a website.
First, let's view the code as follows:

When running, the generated html code looks like this:



Let's click the test button to request a test and see if it has anti-counterfeiting cookies, as shown in the figure below:



The code in the controller is as follows:

We need to add the ValidateAntiForgeryToken feature to each controller, if the user does not bring the AntiForgeryToken, we can return a friendly prompt to the user, as follows:







Previous:asp.net mvc BindAttribute binding feature
Next:One of the comparisons between CMMI and Agile: the essential difference between the two

Related Posts
 Landlord| Posted on 11/2/2017 11:05:37 AM |
For the above method, you must customize the feature, and you cannot use the default ValidateAntiForgeryToken feature

The default feature is to take the value in the form form and then judge it



I encapsulated a post method with jQuery with anti-forgery validation, and the code is as follows:



 Landlord| Posted on 11/2/2017 11:17:36 AM |
IsAjaxRequest to determine whether it is an ajax request

Essentially, IsAjaxRequest() determines whether there is an X-Requested-With field in the header and whether it is an XMLHttpRequest

Looking at the documentation is useless, it depends on the source code.
 Landlord| Posted on 2/20/2021 7:22:26 PM |
ASP.NET CSRF attack Ajax request encapsulation
https://www.itsvse.com/thread-8077-1-1.html
Posted on 12/9/2021 6:37:56 PM |
testtesttesttest
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com