Understanding CSRF Attack & How to prevent it in ASP.Net MVC

In this article, I will start with an introduction of Cross-Site request forgery (CSRF). We will create a web page (the good one) and then an Evil HTML page to do a CSRF over the Good Page and at the end we will code the good page and make it a secure page so that no evil page can initiate CSRF against our good secure page.
Please Note that I will use ASP.Net MVC 4 and Visual Studio 2012 for demonstration in this article

Lets Get Started!

What is a Cross-Site Request Forgery (CSRF) ?

In Cross-Site request forgery (CSRF), the hackers uses victim’s privileges to do a CSRF attack. For example, I have a website where I can log in to admin section and add a record. When I log in, a cookie or session is created to authenticate my requests. A hacker can create a page which can generate a malicious request to  override the pre-authenticated privileges and perform an action.

(Diagram demonstrating the CSRF in Action)

Lets do it practically

I have created a web site in ASP.Net MVC 4 which can add a database record after logging in ( I am not going to teach you how to create a website in ASP.Net MVC 4 if you don’t know how to do this you can google for a tutorial )
Here is the web page I have created, you need to authenticate by providing username and password to access this page, on this page you can click on create new to create add a new database record



when you click on the create it shows the following form



you can create a new database record from this form. (pretty simple).

Lets Create an Evil Page to do a CSRF attack on the website I just created.

To do this you need a little bit of knowledge about HTML.
Lets create an html page “prize.html”


Now, view source of the page in your favorite browser which creates a record in the database and look for the code of form



Copy this code to the “prize.html” and tweak a bit, see the following image.



Now, we have our evil page ready, when we open this page and we are authenticated this page will enter the value in our database.

Lets Secure our Page

In ASP.Net MVC securing our page is easy
add an Attribute [ValidateAntiForgeryTokenAttribute] over your controller action, see the following image


In our view, we will use an html helper Html.AntiForgeryToken , see the following image

How this works ?

html helper “Html.AntiForgeryToken” adds a verification token into the form which is an encrypted hidden input. and that encrypted value is also placed in the user’s browser cookie and the form value user submitted must match the value in the cookie. now the evil page we created will not be able to setup that cookie value and it won’t work.

Conclusion

We have looked into CSRF which is also called sea-surf attack, how it works and how to prevent it in ASP.MVC. This attack some times can cause some serious problems. For example, this can be used to change your profile picture, delete some thing from user account or add a value to user’s account or profile.

Thank you for reading, please do not forget to provide your feedback.