santosh-asp tutorial

MVC Topics

Cross-Site Request Forgery(CSRF):-

Cross-Site Request Forgery = XSS + Confused deputy

Confused deputy – as per Wiki - “A confused deputy is a computer program that is innocently fooled by some other party into missing its authority. It is a specific type of privilege escalation”

Solution:

MVC application handles the CSRF threats by using Token verification. The simplest way to do this is to embed a hidden input into each form request that contains a unique value.

Example:

Controller action:

    
        [ValidateAntiForgeryToken]
        publicActionResult Register(RegisterModel model)
        {

Views:

    
        @using (Html.BeginForm()) {
        @Html.AntiForgeryToken()
        ---
        }