C# – ASP.NET MVC – CSRF on a GET request

asp.net-mvcccsrfSecurity

We have a ASP.NET MVC application. All the POST requests (form submits) have been protected from CSRF by using @Html.AntiForgeryToken and ValidateAntiForgeryToken attribute.
One of the action methods on a controller is a GET which returns a report to the user (a pdf file with data from database). The signature is:

[AcceptVerbs(HttpVerbs.Get)]
public ActionResult GetReport()
{
    // get data from db
    return GetReport();

}

Here are the steps I am following to test the CSRF against this operation:

User logs into the application
When logged in , user opens the below HTML file and clicks on the Submit button:
The report gets downloaded.

Questions:

Can this be considered a CSRF attack?

If yes, how can it be mitigated? Since the action method is a GET request, how can I use MVC's CSRF approach (applying @Html.AntiForgeryToken and ValidateAntiForgeryToken on the action method).

HTML File:

<html>
      <body>
        <form action="https://<baseurl>/Analysis/GetReport">
                <input type="submit" value="Submit request" />
            </form>
          </body>
</html>

Best Answer

In short, what you've just described is not an example of an XSRF attack...

What is an XSRF attack?

Both CSRF and XSRF are used to describe what's called a Cross Site Request Forgery. It's where a malicious website takes advantage of your authenticated state on another website, to perform fraudulent cross-site requests.

Example: Online banking.

The Bank

Imagine that you're authenticated on your bank's website, and that your banks website contains a form to create new transactions, all pretty straight forward...

<!-- Your bank -->
<form action="/send_moneh" method="POST">
    <input type="text" name="amount" />
    <input type="text" name="accountNumber" />
    <input type="submit" value="Send Money" />
</form>

The Malicious website

Now let's think of the Malicious website you're also visiting, imagine that it also contains a form, one that is hidden and the values of which are pre-populated...

<!-- Malicious website -->
<form action="http://yourbank.com/send_moneh" method="POST">
    <input type="hidden" name="amount" value="100.00"/>
    <input type="hidden" name="accountNumber" value="123456" />
</form>

When the form on the malicious website is submitted, an HTTP request will be sent straight from you to your bank, and because you're authenticated on your bank's website, the transaction could be accepted.

Essentially, an attacker is using your own authentication against you by forging requests and using you as the messenger to deliver that request.

How do prevent it?

You use an anti-forgery token, this token is a string containing a random value, the token is placed in your cookies, in addition to your HTML forms.

When you receive a request, you validate that the form contains an anti-forgery token and that it matches the one stored in your cookies. A malicious site can not see the tokens your website sets on a client, and without this information, XSRF attacks are stopped in their tracks.

How do I implement it in ASP.NET MVC?

On your controller Action that will be handling the request, add the attribute [ValidateAntiForgeryToken], and in the HTML form add (@Html.AntiForgeryToken()).

public class ExampleController : Controller
{
    [ValidateAntiForgeryToken]
    [HttpPost]
    public ActionResult Test(Foo fooModel)
    { 
        // do your thing...
        return this.View();
    }
}


<form action="/Example/test" method="POST">
    @Html.AntiForgeryToken()
    <input type="text" name="bar" />
    <input type="submit" value="Submit" />
</form>

That's it!

Tips/Pointers/Advice

Anti-Forgery Tokens don't make a lot of sense when performing GET requests, in fact, they don't make sense to have them anywhere that you're not modifying and persisting data, as any GET request will be returned to your user, not the attacker.

If you're Creating, Updating or Deleting data... make sure that you're using it then.

Related Solutions

Asp.net-mvc – A potentially dangerous Request.Form value was detected from the client

I think you are attacking it from the wrong angle by trying to encode all posted data.

Note that a "<" could also come from other outside sources, like a database field, a configuration, a file, a feed and so on.

Furthermore, "<" is not inherently dangerous. It's only dangerous in a specific context: when writing strings that haven't been encoded to HTML output (because of XSS).

In other contexts different sub-strings are dangerous, for example, if you write an user-provided URL into a link, the sub-string "javascript:" may be dangerous. The single quote character on the other hand is dangerous when interpolating strings in SQL queries, but perfectly safe if it is a part of a name submitted from a form or read from a database field.

The bottom line is: you can't filter random input for dangerous characters, because any character may be dangerous under the right circumstances. You should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning. When you write a string to HTML, you should encode characters that have special meaning in HTML, using Server.HtmlEncode. If you pass a string to a dynamic SQL statement, you should encode different characters (or better, let the framework do it for you by using prepared statements or the like)..

When you are sure you HTML-encode everywhere you pass strings to HTML, then set ValidateRequest="false" in the <%@ Page ... %> directive in your .aspx file(s).

In .NET 4 you may need to do a little more. Sometimes it's necessary to also add <httpRuntime requestValidationMode="2.0" /> to web.config (reference).

C# – How to create a dropdownlist from an enum in ASP.NET MVC

For MVC v5.1 use Html.EnumDropDownListFor

@Html.EnumDropDownListFor(
    x => x.YourEnumField,
    "Select My Type", 
    new { @class = "form-control" })

For MVC v5 use EnumHelper

@Html.DropDownList("MyType", 
   EnumHelper.GetSelectList(typeof(MyType)) , 
   "Select My Type", 
   new { @class = "form-control" })

For MVC 5 and lower

I rolled Rune's answer into an extension method:

namespace MyApp.Common
{
    public static class MyExtensions{
        public static SelectList ToSelectList<TEnum>(this TEnum enumObj)
            where TEnum : struct, IComparable, IFormattable, IConvertible
        {
            var values = from TEnum e in Enum.GetValues(typeof(TEnum))
                select new { Id = e, Name = e.ToString() };
            return new SelectList(values, "Id", "Name", enumObj);
        }
    }
}

This allows you to write:

ViewData["taskStatus"] = task.Status.ToSelectList();

by using MyApp.Common