MovGP0        Über mich        Hilfen        Artikel        Weblinks        Literatur        Zitate        Notizen        Programmierung        MSCert        Physik      

Cross-Site Request Forgery (CSRF)

Bearbeiten

Synchronizer Token Pattern (STP)

Bearbeiten
<input type="hidden" name="csrftoken" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt" />
  • All MVC-Forms have an anti forgery token
    @using (Html.BeginForm("ChangePassword", "Manage"))
    {
        // ...
    }
    
  • Provide token manually if form is is HTML
    <form action="/" method="post">
        @Html.AntiForgeryToken()
    </form>
    
Validation
Validation of the token is done by placing an attribute on the MVC controller or method.
An attribute given on a lower level overrides attributes at a higher level
[ValidateAntiForgeryToken] always validate the token
[AutoValidateAntiforgeryToken] validate the token except for GET, HEAD, OPTIONS, TRACE
[IgnoreAntiforgeryToken] do not validate the token (use for save methods only)
Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
    options.FormFieldName = "csrftoken";
    options.RequireSsl = true;
});

Wird im HTTP-Header deklariert:

Set-Cookie: Csrf-token=i8XNjC4b8KVok4uw5RftR38Wgp2BFwql; expires=Thu, 23-Jul-2015 10:25:33 GMT; Max-Age=31449600; Path=/
  • MUST NOT have an httpOnly flag! Needs te be processed by JavaScript.
Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
    options.CookieName = "CsrfCookie";
    options.CookiePath = "/";
    options.CookieDomain = "example.com";
    options.RequireSsl = true;
});

HTTP-Header / REST

Bearbeiten
Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
    options.HeaderName = "X-Csrf-Token";
    options.RequireSsl = true;
});

There are multiple headers used:

HTTP-Headers
X-Csrf-Token Standard
X-XSRF-TOKEN Angular
X-Requested-With jQuery
X-CSRF-TOKEN Java Play Framework
X-Requested-By Oracle Jersey

Manuelle Validierung:

csrf_token = HMAC(session_token, application_secret)

XMLHttpRequests

Bearbeiten

For old Browsers that allow Cross-Site XMLHttpRequests, the Origin headers have to be checked:

// pass if Origin header is ok
var expected = new Regex("^https?://myserver.com$"); // compare with URI for production code
var origin = request.Headers["Origin"].SingleOrDefault();
if(expected.Matches(origin)) return Next(request);

// pass if the request was not done with XmlHttpRequest
var requestedWith = request.Headers["X-Requested-With"];
if(!requestedWith.Any(rw => rw.Equals("XmlHttpRequest", StringComparison.InvariantCultureIgnoreCase))) return Next(request);

// deny otherwise
var response = context.Response;
response.StatusCode = 401;
return response.WriteAsync("Access denied.");

Verteilte .NET Core Anwendung

Bearbeiten

Bei einer verteilten .NET Core Anwendung muss das Application Secret (IAntiForgery) und der AntiforgeryTokenStore (IAntiforgeryTokenStore) zentral implementiert und in der DI überschrieben werden.

Siehe auch: Microsoft.AspNetCore.Antiforgery

|}