ASP.NET MVC Application Security

Question

ASP.NET MVC Application Security

Today I am testing my ASP.NET MVC web application, and I find out that anyone can easily submit our site form without having to come to my site?

Example: example.com/home/test

 [HttpPost] public ActionResult Test(string name) { return View("home"); } <form id="myForm" method="post" action="example.com/home/test"> <input type="text" name="name" /> <input type="submit" /> </form>

if another site makes this form when a user fills out a form that my site will affect.

I can check the request made by the user through my site or another.

+4

asp.net asp.net-mvc

Steven spielberg Aug 9 '10 at 0:43

source share

4 answers

Use the [Authorize] filter to prevent anonymous users from accessing controllers or actions.

http://davidhayden.com/blog/dave/archive/2009/04/09/CustomAuthorizationASPNETMVCFrameworkAuthorizeAttribute.aspx

+5

Richard Poole Aug 9 '10 at 0:57

source share

Stephen, I can recommend you watch the video: HaaHa Show: Microsoft ASP.NET MVC Security with Haack and Hanselman

After 24 minutes, they discuss how to protect the MVC website with the Html.AntiForgery tag and show how you can implement this on the MVC website.

+1

Kelderro Aug 9 '10 at 8:26

source share

Steven

in addition to the above suggestions (which for life I can’t understand why they work CS). In any case, you can also check the origin of the request inside the controller:

 var origReq = HttpContext.Request.UrlReferrer;

or, view the headers and determine your action based on the content:

 var headers = HttpContext.Request.Headers;

[edit] - of course, "headers" can be faked (depending on how x'post was determined by someone on your site), so you could probably use them for informational purposes only - this is not 100% confidence...

you can decide whether this “message” is allowed or not, depending on whether it originated from your domain (or an approved domain) or not.

Jim

0

jim tollan Aug 9 '10 at 8:14

source share

DM · Accepted Answer · 2010-08-09T01:32:03+0000

It looks like you are probably looking for some help with cross site querying (CSRF). ASP.NET MVC has a fairly simple tool to help with this:

If you include: <%= Html.AntiForgeryToken() %> inside the form that is being submitted, you can mark your action method with the [ValidateAntiForgeryToken] attribute and have a pretty good handle to stop CSRF attacks. Don't take my word for it, check out Steve Sanderson's [old] blog post and he should have all the background and information you need.

http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

ASP.NET MVC Application Security

More articles: