|
|
Posted on 2/20/2021 7:57:29 PM
|
|
|
|
To prevent CSRF attacks, asp.net mvc provides the ValidateAntiForgeryToken anti-counterfeiting attack feature, and in the new version of the asp.net core framework, Microsoft provides the AutoValidateAntiforgeryToken feature, specifically ValidateAntiForgeryToken and AutoValidateAntiforgeryToken What is the difference, this article will explain in detail.
CSRF concept
CSRF Cross-Site Request Forgery, like XSS attacks, is extremely harmful, you can understand it this way: the attacker steals your identity and sends a malicious request in your name, which is completely legitimate for the server, but completes an action that the attacker expects, such as sending emails and messages in your name, stealing your account, adding system administrators, or even purchasing goods, virtual currency transfers, etc. Web A is a website with a CSRF vulnerability, Web B is a malicious website built by an attacker, and User C is a legitimate user of Web A.
ASP.NET MVC against CSRF attacks
On the view page, use @Html.AntiForgeryToken() to add a tag, and when the user accesses the page, the backend will automatically generate a hidden html code with the tag, as follows:
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8FBn4LzSYglJpE6Q0fWvZ8WDMTgwK49lDU1XGuP5-5j4JlSCML_IDOO3XDL5EOyI_mS2Ux7lLSfI7ASQnIIxo2ScEJvnABf9v51TUZl_iM2S63zuiPK4lcXRPa_KUUDbK-LS4HD16pJusFRppj-dEGc" />
ValidateAntiForgeryToken and AutoValidateAntiforgeryToken are different
AutoValidateAntiforgeryTokenAuthorizationFilter inherits the ValidateAntiforgeryTokenAuthorizationFilter, but only rewrites the ShouldValidate method in it.
AutoValidateAntiforgeryToken property that causes validation of anti-counterfeiting tokens for all insecure HTTP methods.HTTP methods other than GET, HEAD, OPTIONS, and TRACE all require an anti-counterfeiting token。 This can be applied as a global filter to trigger the application's anti-counterfeiting token validation by default.
The hyperlink login is visible.
AutoValidateAntiforgeryTokenAttribute validates the call to AutoValidateAntiforgeryTokenAuthorizationFilter, which inherits from ValidateAntiforgeryTokenAuthorizationFilter,The ShouldValidate method has been rewritten, returning true means it needs to be validated, and returning false will not be validated, as shown in the figure below:
Analyze the source code:
AutoValidateAntiforgeryTokenAttribute allows anti-counterfeiting token validation to be applied globally to all insecure methods, such as POST, PUT, PATCH and DELETE. So you don't need to add the [ValidateAntiForgeryToken] property to every action that requires it.
To use it, add the following code to your ConfigureServices' Startup class method:
If you need to ignore anti-counterfeiting authentication, you can add [IgnoreAntiforgeryTokenattribute to the action.
Sometimes you may find yourself needing to tag multiple requests on a controller while needing some requests that don't need to be forged, such as various GET-based operations. There are several tools you can use to make the process more convenient and comfortable. The first is the AutoValidateAntiforgeryToken property. It behaves like the ValidateAntiForgeryToken property. However, it will automatically ignore the actions called by methods designed for data retrieval: GET, HEAD, OPTIONS, and TRACE. This allows you to quickly and easily add anti-counterfeiting methods to all methods that can change data without affecting how data is retrieved.
The following code is an example of the AutoValidateAntiforgeryToken property:
In this example, both normal Index operations (GET) will work regardless of the source, while both the Index operation with the POST method and the RemoveUser operation as the Delete method will require the client to use an anti-counterfeiting token.
Customize the relevant information
Many people may wonder if the name of the generated hidden domain can be replaced with their own, and whether the name of the cookie can be changed to their own.
The answer is yes, let's briefly demonstrate:
In the Startup's ConfigureServices method, add the following to modify the default name accordingly.
Note: The biggest difference between asp.net core and asp.net is,Core supports passing validation parameters by requesting a header, not to form forms!
private const string AntiforgeryTokenFieldName = "__RequestVerificationToken";
private const string AntiforgeryTokenHeaderName = "RequestVerificationToken";
You can view the source code:The hyperlink login is visible.
Test code:
Result: Trying to access the test1 method returns a 400 error, accessing the test2 method returns the str parameter we passed, and you can see that the AutoValidateAntiforgeryToken feature does not intercept the GET request.
(End)
|
Previous:Fiddler replaces links, requests forwarding redirectsNext:[turn] SQL Server SQL Count
|
Landlord|
Posted on 7/8/2023 10:07:08 PM
|
