MovGP0 | Über mich | Hilfen | Artikel | Weblinks | Literatur | Zitate | Notizen | Programmierung | MSCert | Physik |
|
Cross-Site Request Forgery (CSRF)
BearbeitenSynchronizer Token Pattern (STP)
Bearbeiten<input type="hidden" name="csrftoken" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt" />
- All MVC-Forms have an anti forgery token
@using (Html.BeginForm("ChangePassword", "Manage")) { // ... }
- Provide token manually if form is is HTML
<form action="/" method="post"> @Html.AntiForgeryToken() </form>
- Validation
- Validation of the token is done by placing an attribute on the MVC controller or method.
- An attribute given on a lower level overrides attributes at a higher level
[ValidateAntiForgeryToken] |
always validate the token |
[AutoValidateAntiforgeryToken] |
validate the token except for GET, HEAD, OPTIONS, TRACE |
[IgnoreAntiforgeryToken] |
do not validate the token (use for save methods only) |
- Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
options.FormFieldName = "csrftoken";
options.RequireSsl = true;
});
Cookie
BearbeitenWird im HTTP-Header deklariert:
Set-Cookie: Csrf-token=i8XNjC4b8KVok4uw5RftR38Wgp2BFwql; expires=Thu, 23-Jul-2015 10:25:33 GMT; Max-Age=31449600; Path=/
- MUST NOT have an httpOnly flag! Needs te be processed by JavaScript.
- Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
options.CookieName = "CsrfCookie";
options.CookiePath = "/";
options.CookieDomain = "example.com";
options.RequireSsl = true;
});
HTTP-Header / REST
Bearbeiten- Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
options.HeaderName = "X-Csrf-Token";
options.RequireSsl = true;
});
There are multiple headers used:
X-Csrf-Token |
Standard |
X-XSRF-TOKEN |
Angular |
X-Requested-With |
jQuery |
X-CSRF-TOKEN |
Java Play Framework |
X-Requested-By |
Oracle Jersey |
Manuelle Validierung:
csrf_token = HMAC(session_token, application_secret)
XMLHttpRequests
BearbeitenFor old Browsers that allow Cross-Site XMLHttpRequests
, the Origin headers have to be checked:
// pass if Origin header is ok
var expected = new Regex("^https?://myserver.com$"); // compare with URI for production code
var origin = request.Headers["Origin"].SingleOrDefault();
if(expected.Matches(origin)) return Next(request);
// pass if the request was not done with XmlHttpRequest
var requestedWith = request.Headers["X-Requested-With"];
if(!requestedWith.Any(rw => rw.Equals("XmlHttpRequest", StringComparison.InvariantCultureIgnoreCase))) return Next(request);
// deny otherwise
var response = context.Response;
response.StatusCode = 401;
return response.WriteAsync("Access denied.");
Verteilte .NET Core Anwendung
BearbeitenBei einer verteilten .NET Core Anwendung muss das Application Secret (IAntiForgery
) und der AntiforgeryTokenStore (IAntiforgeryTokenStore
) zentral implementiert und in der DI überschrieben werden.
Siehe auch: Microsoft.AspNetCore.Antiforgery
Quellen
Bearbeiten- Steve Smith, Fiyaz Hasan: Preventing Cross-Site Request Forgery (XSRF/CSRF) Attacks in ASP.NET Core. In: ASP.NET Core Docs. Microsoft, 14. Februar 2017, abgerufen am 12. Mai 2017 (englisch).
- Fiyaz Bin Hasan: Preventing XSRF in AngularJS Apps with ASP.NET CORE Anti-Forgery Middleware. 13. April 2016, abgerufen am 12. Mai 2017 (englisch).
|}