I'm using ELMAH to handle errors in my MVC sites and I've noticed over the past couple of weeks that I'm getting some CryptographicExceptions thrown. The message is: System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed. System.Web.Mvc.HttpAntiForgeryException: A required anti-forgery t...
I'm working on improving the security of my company's website and wanted to create a token to prevent forgery attempts that could be easily maintained this is what I came up with. public class AntiForgeryToken { private readonly string _referenceToken; public AntiForgeryToken() { _referenceToken = Guid.NewGuid().ToS...
So I have an interesting problem... I'm required to get my webapp to pass through an IBM app scanning appliance before I can push my changes to production. My latest changes include the AntiForgeryToken in ASP.NET MVC. Every browser I've tested this on works just fine, no issues. But when the appliance tries to submit the form, it ge...
In a ASP.NET MVC along with a test case project, How does someone create a test case to test against existing security exploits on a controller method? For example, how do you create a test case for a call that need anti-forgery token? Or XSS? ...
I have an HTML form, to which I dynamically add a text field and perform a POST request for that form via jQuery to an ASP.NET MVC controller. If I invoke the POST request without the ValidateAntiForgeryToken attribute on the controller action, it works fine. But, when I add the ValidateAntiForgeryToken attribute to the action I get the...
My ASP.NET MVC application prevents CSRF attacks by using the ValidateAntiForgeryToken attribute and calling Html.AntiForgeryToken to write a hidden input element with the token value, and also place the token in the cookie. My exception log is reporting occurences of HttpAntiForgeryException that look like they were triggered from vali...
We've just had some Penetration Testing carried out on an application we've built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use. According to the OWASP recommendations around the Synchronize...
I have a basic JsonResult method that is being called by a jQuery $.ajax call in my view. [AcceptVerbs(HttpVerbs.Post)] public JsonResult DoWork(string param1) { // do something important return Json(); } So my question is, could this method be called/hacked and passed erroneous data? Let's say it wa...
I have public site with some forms. Simple question: What kind of informations should I show when validation of AntiForgeryToken fails? Is it should be 404 (page not found), error or just ignore it and redirect to the home page? ...
We recently updated our solution to MVC 2, and this has updated the way that the AntiForgeryToken works. Unfortunately this does not fit with our AJAX framework any more. The problem is that MVC 2 now uses symmetric encryption to encode some properties about the user, including the user's Name property (from IPrincipal). We are able to...
I want to create dynamic forms on a MVC page that will generate something like this. onclick=" var f = document.createElement('form'); f.style.display = 'none'; this.parentNode.appendChild(f); f.method = 'POST'; f.action = this.href; var s = document.createElement('input'); s.setAttribute('type', 'hidden...
I'm occasionally getting this error during normal use, and I've not found a way to stop it without removing the attribute that requires the token, which I'd rather not do. I've gotten this bug during my own testing (but seemingly randomly) and I know from my logging that actual logged-in users are getting it as well. Does anyone know...
Hi! I have a problem regarding MVC Anti forgery token. When I do my authentication I have pseudo code like this: var user = userRepository.GetByEmail(email); System.Threading.Thread.CurrentPrincipal = HttpContext.Current.User = user; by doing so I'm able to get the current user in my code like this: var user = HttpContext.Current.Use...
I am using the code as below of this post: First i will an fill array variable with the correct values for the controller action. Using the code below i think it should be very straigtforward by just adding the following line to the javascript: data["__RequestVerificationToken"] = $('[name=__RequestVerificationToken]').val(); The <%=...
I've got a weird error in a couple MVC apps that I've not noticed before; it's happening in my app (across the board) and also it happened when I tried running the latest Orchard drop (so I know it's not just my code). Basically, the issue is that I get the exception that should be thrown when an AntiforgeryToken isn't supplied, but is ...
I am using jQuery to post($.post) to a controller action and return a JSON result. If there are any errors, I'm returning the error message with the JSON result and displaying it to the user with a modal. However, I'm having a lot of trouble intercepting the AFT exception. Rather than throw a 500, I just want to grab the error mes...
I am developing an httphandler to process some requests in Web Forms (NOT in MVC). How could I implement Anti Cross Site Scripting (like antiforgery in MVC)? I want to know mre about the antiforgery mechanism in MVC. ...
I use asp.net + MVC1.0 and in a webpage I have several forms, within each forms I have called the following function AntiForgeryToken() to generate a hidden value, and in Controller function I have a validate attribute. When I use JMeter and capture the token using regular expression then post the token with my form to server, I found ...
Using ASP.Net MVC v2.0, I am starting to research the use of the Html.AntiForgeryToken() method when submitting forms that process data. I can see it sets a hidden value in the form HTML and it sets the same value in a session cookie. The question is will different web servers in a load balanced configuration create the same token in t...
Using ASP.net MVC v2.0, Any way to change the name of the __RequestVerificationToken cookie? In an effort to conceal our underlying technology stack, I’d like to rename the cookie to something that can’t be traced back to ASP.Net MVC. More info on this at Steve Sanderson's blog. ...