How to prevent cross site forgery attack in .NET 4.0 MVC web application by using Antiforgery Technique RRS feed

  • Question

  • Hi,

                To prevent cross site forgery attack in .NET 4.0 MVC web application, we have generated CSRF tokens per page by using @Html.AntiForgeryToken(). The token validation is done on each request handling using [ValidateAntiForgeryToken] , api provided by framework in the respective controller and actions.

    When the request from the client browser is traced and sent again from a proxy tool with this traced data, the server application accepts it and no validation error is shown.

    The traced data will contain the generated token value (__RequestVerificationToken) with the request body. 

    The application is SSL(self-signed) enabled and is hosted in HTTPS.

    Tool can able to copy the validated token from the request body, and he can send the new request with this old token. ie the validated token is still avaialable. Any way to invalidate or remove the already generated form tokens.

    We would like to know, if there are any other security measures to be considered to prevent cross site attacks.

    Wednesday, December 18, 2013 2:00 PM


  • Might ask them over here.





    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Just Karl Thursday, December 19, 2013 10:07 PM
    • Marked as answer by Just Karl Thursday, December 26, 2013 6:52 PM
    Thursday, December 19, 2013 1:38 AM