tags:

views:

113

answers:

2
+1  Q: 

How to mitigate XSRF for ASP.NET MVC Ajax.ActionLink requests?

I have many Ajax.ActionLink's on my ASP.NET MVC (v1) page that perform destructive operations. This is "legal" because I set HttpMethod to DELETE in this case so it's not a destructive GET.

My question though is how to mitigate XSRF attacks on this operation so that other sites cannot craft this same Ajax DELETE request to delete user data from another site. This ActionLink does appear within a form that includes <%= Html.AntiForgeryToken() %> but since ActionLinks don't post the form, the anti-forgery token doesn't go to the controller, so it can't validate it.

+1  A: 

To prevent against Cross-Site Request Forgery attacks you must block requests that originate from another site. In asp.net you can do this by checking to see if Request.UrlReferrer isn't from your host name. If the ajax request originated from a different server, then you should ignore the ajax request. If the referrer is null, then you should also ignore the request.

Rook  2010-01-07 06:25:56
Thanks, but unfortunately the UrlReferrer comes from an HTTP header that is often stripped by proxies or firewalls (for privacy reasons), so denying ajax requests based on that header causes the web site to misbehave for legitimate requests.I'm looking for how to best implement the standard approach of matching a secret on the client (usually a hidden field in the form) and a secret on the server to authorize the POST.
Andrew Arnott  2010-01-07 10:48:08
A: 

This link covers one solution http://tpeczek.blogspot.com/2010/05/using-antiforgerytoken-with-other-verbs.html

However the most ideal solution is that when you use the actionlink it adds the Anti Forgery token into the query string so I'm going to try writing my own ActionLink extension method that appends that on.

Finally I'm going to write an attribute that inherits from the ValidateAntiForgeryTokenAttribute and that accepts forgery tokens in both the Request.Form and Request.QueryString

Stephen lacy  2010-10-21 14:52:42

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps