.NET CORE Security Fiyaz Hasan

Preventing XSRF in ASP.NET Core

XSRF…what?

“Cross Site Request Forgery

(XSRF/CSRF) is a type of security breech where a hacker can trick the user

into making unwanted requests for a web

application where the user is already authenticated

Authentication Systems

Cookie Based Browser Server

Authenticateusername=…&password=…

HTTP 200 OKSet-Cookie: session=…

GET /controller/actionCookie: session=…

HTTP 200 OK{ data: “data“ }

Find and desirialize session from database

Are Cookies Evil?

Token Based Browser Server

Authenticateusername=…&password=…

HTTP 200 OK{token: ‘JWT’}

GET /api/actionAuthorization: Bearer {JWT}

HTTP 200 OK{ data: “data“ }

Validate Token

User Token & Antiforgery Token

Aren’t Same

Antiforgery SystemBrowser Server

Particular Route Request

HTTP 200 OKSet Cookie:

antiforgery.token=…

POST /controller/actionHidden __RequestVerificationToken field

HTTP 200 OK{ data: “data“ }

Checks if this token is validated

Create And Store Token then send the

token in the response

Built-in support for MVC

Forms

HtmlHelpersHtml.BeginForm("Add", "Transaction")

TagHelpers<form asp-controller="Transaction" asp-

action="Add“>

Antiforgery Middlerware

Thanks!Any questions?You can find me at:@FiyazBinHasanwww.fiyazhasan.me