ASP.NET MVC > Validation

Prevent Cross-Site Request Forgery (CSRF) attack in ASP.NET MVC

How to prevent Cross-Site Request Forgery (CSRF) attack in ASP.NET MVC?

Cross-Site Request Forgery (CSRF) attack is an attack where a malicious website sends a request to a web application/site that a user is already authenticated on.

In another words cross site request forgery (CSRF) attack is a type of attack where a request is submitted to the form that is not originally the form where the request should be submitted from. To prevent this kinf of attack, we can use @Html.AntiForgeryToken() helper method in the ASP.NET MVC form and ValidateAntiForgeryToken in the controller action attribute.


@using (Html.BeginForm()) {

      <div class="editor-label">
            @Html.LabelFor(model => model.FirstName)
        <div class="editor-field">
            @Html.EditorFor(model => model.FirstName)
            @Html.ValidationMessageFor(model => model.FirstName)

Notice the @Html.AntiForgeryToken line in the above form. Because of that line, a hidden element is generated in the form with encrypted value that is validated in the server side to ensure that CSRF attack is not happening.

<form action="/PersonalDetail/Create" method="post"><input name="__RequestVerificationToken"
value="lgp_fxdlYmHf7q4Tpn75nq1Pdd3m4G3Vnb1uFEJ0FBhYHdXyH4VFg8dxvO2ScYt_49ZQg7prob9RfNrj7IWHkOgcQjBEM2oX_W1VnHfAOSA1" /><div class="validation-summary-errors"><ul><li
style="display:none"> ………….. </form>

Just keeping the @Html.AntiForgeryToken() in the form is not enough. We also need to add ValidateAntiForgeryToken attribute in the action method of the controller where the form is being submitted.


public ActionResult Create(PersonalDetail personaldetail)


Now, we can be 100% sure that the request coming to this action method is 100% originating from our own form and there is no CSRF.

 Views: 2578 | Post Order: 84

Write for us