Understand Antiforgery Token In ASP.NET MVC

In this article, we will try to understand Antiforgery Token in Asp.Net MVC. Anti-forgery stands for “Act of copying or imitating things like a signature on a cheque, an official document to deceive the authority source for financial gains”.

In this article, we will try to understand Anti-forgery Token in ASP.NET MVC.

Anti-forgery stands for “Act of copying or imitating things like a signature on a check, an official document to deceive the authority source for financial gains”.

Now, in the case of web applications, it is termed as CSRF. CSRF is a method of attacking website where attackers imitate a trusted source sending the data to the site.

[Here attacker acts like a trusted source and sends data to site and website processes the data by trusting the request.]

Now, let’s take an example.

  • Now we have created a new MVCWebapplication project by File- New Project- WebApplication – MVC
  • Now add TransferAmt action method which will fetch the value of amount as amt and act as the account from Request.Form as shown below,
    1. public ActionResult TransferAmt()  
    2. {  
    3.     // Money transfer logic goes here  
    4.     return Content(Request.Form["amt"] + " has been transferred to account " + Request.Form["act"]);  
    5. }  
  • Now, in add TransferAmt View, add the below code,
    1. <html>  
    2.   
    3. <head>  
    4.     <title>Transfer money</title>  
    5. </head>  
    6.   
    7. <body>  
    8.     <div> Transfer  
    9.         <form action="Home/TransferAmt" method=post> Amount <input type="text" name="amount" value="" /><br /> Account No. <input type="text" name="account" value="" />  
    10.           <br />   
    11.           <input type=submit value="Add Money" />   
    12.           </form>  
    13.     </div>  
    14. </body>  
    15.   
    16. </html>  

The above code has two textboxes, amt and act. Now formaction is has the action as TransferAmt.

  • In Index action method, call TransferAmt View as shown below.
    1. public ActionResult Index()  
    2. {  
    3.     return View("TransferAmt");  
    4. }  
  • Now, you can run in Index action method to call TransferAmt View, as shown below.

    Antiforgeri Token in Asp.Net
  • Now, enter the values and click on Add Money button.

    Antiforgeri Token in Asp.Net
  • You will get the below result.

    Antiforgeri Token in Asp.Net
  • Now, add another MVC project and add the below code into about View.
    1. <div> Win 1000000 US$ by playing ultimate game  
    2.     <form action="http://localhost:64443/Home/TransferAmt" method=post> <input type=hidden name="amount" value="30000" /> <input type=hidden name="account" value="5005" /> @*@Html.AntiForgeryToken()*@ <input type=submit value="Play the ultimate game" /> </form>  
    3. </div>  
  • Now run the application and click on Play the ultimate game

    Antiforgeri Token in Asp.Net
  • You will get the below result
    Antiforgeri Token in Asp.Net

Now you can see even we are able to access TransferAmt from another application, which is security breach.

Now to overcome this we will use Antiforgery Token with the help of @Html.AntiForgeryToken() in view  and [ValidateAntiForgeryToken()] on actionmethod

  • Now add [ValidateAntiForgeryToken()] to TransferAmt action method as shown below,
    1. [ValidateAntiForgeryToken()]  
    2. public ActionResult TransferAmt()   
    3. {  
    4.     // Money transfer logic goes here  
    5.     return Content(Request.Form["amount"] + " has been transferred to account " + Request.Form["account"]);  
    6. }  
  • Now if you will run the application

    Antiforgeri Token in Asp.Net

  • Click on Add Money, you will get the below error for HttpAntiForgeryException

    Antiforgeri Token in Asp.Net

In the above case it is expecting a verification token which not getting supplied.

  • To fix this we need to use @Html.AntiForgeryToken() in view  as  shown below,
    1. <html>  
    2.   
    3. <head>  
    4.     <title>Transfer money</title>  
    5. </head>  
    6.   
    7. <body>  
    8.     <div> Transfer  
    9.         <form action="Home/TransferAmt" method=post> Amount <input type="text" name="amount" value="" /><br /> Account No. <input type="text" name="account" value="" /><br /> @Html.AntiForgeryToken() <input type=submit value="Add Money" /> </form>  
    10.     </div>  
    11. </body>  
    12.   
    13. </html>  
  • Now if you will run the application  and click on Add money by entering values  you will get the below result

    Antiforgeri Token in Asp.Net
  • Now run the application and click on Play the ultimate game and you will get an error which is protecting your website from unwanted anti-forgery requests.