Geek Answers Handbook

ASP.NET MVC Anti Forgery Token Insecure

I can see the verification token key generated by the MVC3 framework as plain text when I execute a server request without ssl.

This key is stored in a cookie called: _RequestVerificationToken_Lw __

In a mixed security environment, you can actually see this token in plain text sent to the server upon initial request to the non ssl website. This token is also static throughout the user's session. Then what's the point of using this token when it can easily be stolen by an attacker, because cookies get into plain text.

Should this cookie be marked as safe and should never be sent in plain text? Or at least regenerate for each request so that the protected information does not flow from the ssl channel?

I am talking about this block in the MVC 3 AntiForgeryWorker class

 private string GetAntiForgeryTokenAndSetCookie(HttpContextBase httpContext, string salt, string domain, string path) { string forgeryTokenName = AntiForgeryData.GetAntiForgeryTokenName(httpContext.Request.ApplicationPath); AntiForgeryData token = (AntiForgeryData) null; HttpCookie httpCookie = httpContext.Request.Cookies[forgeryTokenName]; if (httpCookie != null) { try { token = this.Serializer.Deserialize(httpCookie.Value); } catch (HttpAntiForgeryException ex) { } } if (token == null) { token = AntiForgeryData.NewToken(); string str = this.Serializer.Serialize(token); HttpCookie cookie = new HttpCookie(forgeryTokenName, str) { HttpOnly = true, Domain = domain }; if (!string.IsNullOrEmpty(path)) cookie.Path = path; httpContext.Response.Cookies.Set(cookie); //Ma, Why isn't this marked as "SECURE" } return this.Serializer.Serialize(new AntiForgeryData(token) { Salt = salt, Username = AntiForgeryData.GetUsername(httpContext.User) }); }
+6
source share
2 answers

When protecting against CSRF attacks, the best solution is always to use SSL. Without SSL, yes, nonce - as it is called - is vulnerable to a MITM attack. When using cookies to store nonce cookies should only be tagged with an HTTP code. This prevents JavaScript from reading cookies. You should also make nonce a <input type="hidden" value="nonce"> in all <form> in addition to the cookie.

Anyone with access to the browser itself will be able to read nonce, and the only way to prevent a re-attack is to have nonce expire for the first time after they have been checked by the server for the first time. This approach can cause a terrible user experience when the user uses the back button and, in addition, retransmits the request with the same number. Because you use the ASP.NET MVC built-in CSRF protection mechanism, changing its behavior may not be easy to use a single use of nonce once. (EDIT: Thanks to Levi below for telling me that ASP.NET MVC actually makes this pretty simple)

If you need better control over the creation and verification of nons, then I propose to implement my own implementation, as it was in my JuniorRoute structure. In fact, feel free to take a look at the source code of JuniorRoute to find out how I implemented it. This is too much code to report stack overflow.

+8
source

This is a pretty inflammatory question that you have.

The built-in MVC anti-fake feature is as secure as it is for the application. All cookies written in Response.Cookies will be automatically marked with a β€œprotected” modifier if <httpCookies requireSSL="true" /> set to Web.config ( see MSDN Docs ). MVC anti-fake cookie also gets this behavior if this switch is set.

Combine this with other features, such as setting the HSTS header in your answers, and you essentially guarantee that the browser will never send sensitive data over clear-text channels.

In addition, the anti-fake system allows you to store user data in tokens, and you can receive a callback to check user data when checking the token. See AntiForgeryConfig.AdditionalDataProvider for more details.

+21
source

More articles:


All Articles