We have a ASP.NET MVC application. All the POST requests (form submits) have been protected from CSRF by using @Html.AntiForgeryToken
and ValidateAntiForgeryToken
attribute.
One of the action methods on a controller is a GET which returns a report to the user (a pdf file with data from database). The signature is:
[AcceptVerbs(HttpVerbs.Get)]
public ActionResult GetReport()
{
// get data from db
return GetReport();
}
Here are the steps I am following to test the CSRF against this operation:
- User logs into the application
- When logged in , user opens the below HTML file and clicks on the Submit button:
- The report gets downloaded.
Questions:
Can this be considered a CSRF attack?
If yes, how can it be mitigated? Since the action method is a GET request, how can I use MVC's CSRF approach (applying @Html.AntiForgeryToken
and ValidateAntiForgeryToken
on the action method).
HTML File:
<html>
<body>
<form action="https://<baseurl>/Analysis/GetReport">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Best Answer
In short, what you've just described is not an example of an XSRF attack...
What is an XSRF attack?
Both
CSRF
andXSRF
are used to describe what's called aCross Site Request Forgery
. It's where a malicious website takes advantage of your authenticated state on another website, to perform fraudulent cross-site requests.Example: Online banking.
The BankImagine that you're
The Malicious websiteauthenticated
on your bank's website, and that your banks website contains aform
to create new transactions, all pretty straight forward...Now let's think of the
Malicious website
you're also visiting, imagine that it also contains aform
, one that is hidden and the values of which are pre-populated...When the form on the malicious website is submitted, an
HTTP request
will be sent straight from you to your bank, and because you're authenticated on your bank's website, the transaction could be accepted.Essentially, an attacker is using your own authentication against you by forging requests and using you as the messenger to deliver that request.
How do prevent it?
You use an anti-forgery token, this
token
is a string containing a random value, the token is placed in yourcookies
, in addition to your HTML forms.When you receive a request, you validate that the form contains an anti-forgery token and that it matches the one stored in your cookies. A malicious site can not see the tokens your website sets on a client, and without this information, XSRF attacks are stopped in their tracks.
How do I implement it in ASP.NET MVC?
On your controller Action that will be handling the request, add the attribute
[ValidateAntiForgeryToken]
, and in the HTML form add(@Html.AntiForgeryToken())
.That's it!
Tips/Pointers/Advice
Anti-Forgery Tokens don't make a lot of sense when performing
GET
requests, in fact, they don't make sense to have them anywhere that you're not modifying and persisting data, as any GET request will be returned to your user, not the attacker.If you're Creating, Updating or Deleting data... make sure that you're using it then.