Hi,
To prevent cross site forgery attack in
.NET 4.0 MVC web application, we have generated CSRF tokens
per page by using @Html.AntiForgeryToken(). The token validation is done on each request handling using
[ValidateAntiForgeryToken] , api provided by framework
in the respective controller and actions.
When the request from the client browser is traced and sent again from a proxy tool with this traced data, the server application accepts it and no validation error is shown.
The traced data will contain the generated token value (__RequestVerificationToken) with the request body.
The application is SSL(self-signed) enabled and is hosted in HTTPS.
Tool can able to copy the validated token from the request body, and he can send the new request with this old token. ie the validated token is still avaialable. Any way to invalidate or remove the already generated form tokens.
We would like to know, if there are any other security measures to be considered to prevent cross site attacks.
