Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Preventing XSRF in ASP.NET CORE apps

132 views

Published on

Preventing xsrf in asp.net core apps

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Preventing XSRF in ASP.NET CORE apps

  1. 1. .NET CORE Security Fiyaz Hasan
  2. 2. Preventing XSRF in ASP.NET Core
  3. 3. XSRF…what?
  4. 4. “Cross Site Request Forgery (XSRF/CSRF) is a type of security breech where a hacker can trick the user into making unwanted requests for a web application where the user is already authenticated
  5. 5. Authentication Systems
  6. 6. Cookie Based Browser Server Authenticate username=…&password=… HTTP 200 OK Set-Cookie: session=… GET /controller/action Cookie: session=… HTTP 200 OK { data: “data“ } Find and desirialize session from database
  7. 7. Are Cookies Evil?
  8. 8. Token Based Browser Server Authenticate username=…&password=… HTTP 200 OK {token: ‘JWT’} GET /api/action Authorization: Bearer {JWT} HTTP 200 OK { data: “data“ } Validate Token
  9. 9. User Token & Antiforgery Token Aren’t Same
  10. 10. Antiforgery System Browser Server Particular Route Request HTTP 200 OK Set Cookie: antiforgery.token=… POST /controller/action Hidden __RequestVerificationToken field HTTP 200 OK { data: “data“ } Checks if this token is validated Create And Store Token then send the token in the response
  11. 11. Built-in support for MVC Forms HtmlHelpers Html.BeginForm("Add", "Transaction") TagHelpers <form asp-controller="Transaction" asp- action="Add“>
  12. 12. Antiforgery Middlerware
  13. 13. Thanks! Any questions? You can find me at: @FiyazBinHasan www.fiyazhasan.me

×