Cross Request Forgery Attacks in ASP.Net Web API

Introduction

This article explains the Cross Request Forgery Attacks in ASP.NET Web API. Basically, it is a type of attack in which the attacker exploits the trust of a website on the user.

How does it Work

The CSRF attacks are based on the site's trust of the user's input. It is a malicious exploit type for the website in which the unauthorized commands are transmitted from a user that the website trusts. The Attacker attempts to get the authenticated users which click on the link for submitting the data without the user actually realizing it. 

The sample code of CFRS attacks is:

  • The client logs into the website www.Example.com, he uses the form authentication for login.
  • The server gives the authentication to the client and gives an authentication cookie as a response.
  • Without performing the login operation the user visits a malicious website. This malicious site contains this HTML code: 
    1. <h1>CSRF Example</h1>  
    2. <form action="http://Example.com/api/money" method="post">  
    3. <input type="hidden" name="operation" value="Transfer" />  
    4. <input type="hidden" name="Money" value="500000" />  
    5. <input type="submit" value="Submit"/>  
    6. </form>
  • Now the client clicks on the submit button, then the browser adds an authentication cookie with the request.
  • The client request executes on the server with the context of the user authentication. And it can perform anything that the user allowed.

When the website uses the Authentication cookie there is an additional possibility for CSRF attacks against the website. It is done because the browser sends all the cookies to the destination website. CSRF attacks are not limited to the exploitation of cookies. Digest and basic authentication are vulnerable. When the client logs in using basic and digest authentication the browser sends the reference until the end of the session.

Limitations

  • The attacker always finds the submission site on which forms are submitted or the URL that has side effects.
  • The attacker determines for each input URL if there is a need for any secrete authentication value then the attacker can't guess and the attack will be failed.
  • The attacker targets the site that does not check by the referrer header or plug-in that allows referrer spoofing.

The attacker cannot see what is sent back by the target website to the victim as a response to the request and they are less vulnerable to exploitation by cross-site scripting.

Anti-forgery Tokens

Anti-forgery tokens can protect the websites from CSRF attacks. These tokens are also called "verification tokens".

  • The client requests the HTML page that has the Form.
  • The server gives the two tokens as a response, the first one is sent as the cookie and another one placed in the hidden form field. The tokens are generated randomly so the adversary cannot guess the value.
  • At the time of submitting the form the client returns both tokens to the server. The cookie token as a cookie and the other token in the hidden form field is sent in the form data.
  • When the request does not contain both tokens the server disallows the request.

Example of hidden form field token:

  1. <form action="/Home/Check" method="post">  
  2.     <input name="RVToken" type="hidden"    
  3.            value="6fGBtLZmVBZ59oUad1Fr33BuPxANKY9q3Srr5y[...]" />     
  4.     <input type="submit" value="Click Me" />  
  5. </form> 

To protect against a CSRF attack, use the anti-forgery token with any authentication protocol. The browser then sends the references after logging in the user. It includes the form authentication and cookie-based authentication protocol.

We have a need for the Anti-forgery token for the unsafe methods. These methods may be GET, POST, DELETE and PUT. We use the method for confirmation that the safe method does not have any side-effects. If enabled the cross-domain support like CORS and JSONP, then even safe methods are potentially vulnerable to CSRF attacks. And it allows the attacker to read the potentially sensitive data.

Anti-forgery Tokens in ASP.NET MVC.

When we add the Anti-forgery token in the Razor page we use the "HtmlHelper.AntiForgeryToken" method.

  1. @using(Html.BeginForm("Arrange" , "Money"))  
  2. {  
  3. @Html.AntiForgeryToken()  
  4. }