preventing xsrf in asp.net core apps
TRANSCRIPT
.NET CORE Security Fiyaz Hasan
Preventing XSRF in ASP.NET Core
XSRF…what?
“Cross Site Request Forgery
(XSRF/CSRF) is a type of security breech where a hacker can trick the user
into making unwanted requests for a web
application where the user is already authenticated
Authentication Systems
Cookie Based Browser Server
Authenticateusername=…&password=…
HTTP 200 OKSet-Cookie: session=…
GET /controller/actionCookie: session=…
HTTP 200 OK{ data: “data“ }
Find and desirialize session from database
Are Cookies Evil?
Token Based Browser Server
Authenticateusername=…&password=…
HTTP 200 OK{token: ‘JWT’}
GET /api/actionAuthorization: Bearer {JWT}
HTTP 200 OK{ data: “data“ }
Validate Token
User Token & Antiforgery Token
Aren’t Same
Antiforgery SystemBrowser Server
Particular Route Request
HTTP 200 OKSet Cookie:
antiforgery.token=…
POST /controller/actionHidden __RequestVerificationToken field
HTTP 200 OK{ data: “data“ }
Checks if this token is validated
Create And Store Token then send the
token in the response
Built-in support for MVC
Forms
HtmlHelpersHtml.BeginForm("Add", "Transaction")
TagHelpers<form asp-controller="Transaction" asp-
action="Add“>
Antiforgery Middlerware
Thanks!Any questions?You can find me at:@FiyazBinHasanwww.fiyazhasan.me