tags:

views:

290

answers:

2
+1  Q: 

what is the use of anti-forgery token salt ?

in asp.net mvc 1.0, there is a new feature for handling cross site request forgery security problem:

 <%= Html.AntiForgeryToken() %>
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
    // ... etc
}

and i found the token generated in html form keep changing every time a new form is rendered. I want to know how these token is generated? And when use some software to scan this site, it will report another security problem: Session fixed. why ? Since the token keep changed, how can this problem come ?

And there is another function, that is "salt" for the antiForgeryToken, but i really know what this used for, even through we don't use "salt" to generate the token, the token will changes all the time, so why have such function ?

Thanks in advance!

+1  A: 

You've ask a few unrelated problems:

  1. I don't know why your security software is reporting 'session fixed'. Try reading the documentation that comes with the report
  2. The anti-forgery token:

This is used (presumably) to validate that each request is valid. So consider that someone tries to present a link to the page ?x=1, if the token is not also passed, the request will be rejected. Further, it (may) prevent duplicate posting of the same item. If you click 'post' twice, the token will likely change (each request), and this case will be detected via something like:

Session["nextToken"] = token;
WriteToken(token);

...

if( !Request["nextToken"] == Session["nextToken"] ){
    ...
}

// note: order in code is slightly different, you must take the token
// before regenerating it, obviously

I think the term for this (the attack it protects) is called "CSRF" (Cross-Site Request Forgery), these days.

Noon Silk  2009-09-10 00:11:23
but why someone said that the token is related to SessionID?
MemoryLeak  2009-09-10 00:15:35
MemoryLeak: I don't know, I haven't used ASP.NET MVC specifically, I was answering generally as to the purposes of a request token. Hopefully someone can clear that up for you.
Noon Silk  2009-09-10 00:16:39
if you are right, what is "salt" used for ?
MemoryLeak  2009-09-10 00:17:29
salt is used to generate the token (so that it is random and not predictable).
Noon Silk  2009-09-10 00:19:17
but even i didn't use token, it is random too. That's my problem
MemoryLeak  2009-09-10 00:19:59
MemoryLeak: I think I'll let someone else answer; clearly it's not good for me to try and help you in something I don't know about :P
Noon Silk  2009-09-10 00:23:32
+2  A: 

Lots of info on the AntiForgeryToken here: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

This is to prevent a Cross-Site Request Forgery (CSRF). It's pretty standard behavior to click 'Save' sumbit a form and perform some action on the server, i.e. save a user's details. How do you know the user submitting the form is the user they claim to be? In most cases you'd use some cookie or windows based auth.

What if an attacker lures you to a site which submits exactly the same form in a little hidden IFRAME? Your cookies get submitted intact and the server doesn't see the request as any different to a legit request. (As gmail has discovered: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/)

The anti-forgery token prevents this form of attack by creating a additional cookie token everytime a page is generated. The token is both in the form and the cookie, if the form and cookie don't match we have a CSRF attack (as the attacker wouldn't be able to read the anti-forgery token using the attack described above).

And what does the salt do, from the article above:

Salt is just an arbitrary string. A different salt value means a different anti-forgery token will be generated. This means that even if an attacker manages to get hold of a valid token somehow, they can’t reuse it in other parts of the application where a different salt value is required.

Update: How is the token generated? Download the source, and have a look at the AntiForgeryDataSerializer, AntiForgeryData classes.

russau  2009-09-10 00:17:42
Actually I know all of this, did you see my problem ? I come from the blog just now.
MemoryLeak  2009-09-10 00:19:26
Which problem "Session fixed", or the question about "salt"? "Session fixed" I'm not familiar with, what are you using to scan the site?
russau  2009-09-10 00:22:35
thanks, russau, but i just don't agree on the blog post, then i ask a question here....
MemoryLeak  2009-09-10 02:14:22
i've updated my answer with a link to the source.. I had a quick read thru it but couldn't immediately work out exactly how they are creating the token.
russau  2009-09-10 04:59:49

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security