Download to read offline
Uploaded byFiyaz Hasan
Preventing XSRF in ASP.NET CORE apps
The document discusses cross-site request forgery (XSRF/CSRF) attacks and how to prevent them in ASP.NET Core applications. It explains that XSRF attacks trick authenticated users into performing unwanted actions on a web application. To prevent XSRF, ASP.NET Core uses antiforgery tokens that are validated on requests. It provides built-in support for adding antiforgery tokens to MVC forms and tag helpers. Additionally, antiforgery middleware can validate tokens on incoming requests to the application.
More Related Content
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Preventing XSRF in ASP.NET CORE apps
![[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent](https://cdn.slidesharecdn.com/ss_thumbnails/owaspeee2015csrf-151012122314-lva1-app6891-151026110827-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-agenticaiarchitectureredefiningsystemcommunication-251124030838-e6c70cc2-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-themodernstackbuildingwebaiapplicationswithserverless-251124030844-388cf04f-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-phpinaiagethelaravelway-251125012602-ef9d330e-thumbnail.jpg?width=640&height=640&fit=bounds)
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg?width=640&height=640&fit=bounds)
Preventing XSRF in ASP.NET CORE apps
- 1.
- 2.
- 3.
- 4. “Cross Site RequestForgery (XSRF/CSRF) is a type of security breech where a hacker can trick the user into making unwanted requests for a web application where the user is already authenticated
- 5.
- 6. Cookie Based Browser Server Authenticate username=…&password=… HTTP200 OK Set-Cookie: session=… GET /controller/action Cookie: session=… HTTP 200 OK { data: “data“ } Find and desirialize session from database
- 7.
- 8. Token Based Browser Server Authenticate username=…&password=… HTTP200 OK {token: ‘JWT’} GET /api/action Authorization: Bearer {JWT} HTTP 200 OK { data: “data“ } Validate Token
- 9. User Token & AntiforgeryToken Aren’t Same
- 10. Antiforgery System Browser Server ParticularRoute Request HTTP 200 OK Set Cookie: antiforgery.token=… POST /controller/action Hidden __RequestVerificationToken field HTTP 200 OK { data: “data“ } Checks if this token is validated Create And Store Token then send the token in the response
- 11. Built-in support for MVC Forms HtmlHelpers Html.BeginForm("Add","Transaction") TagHelpers <form asp-controller="Transaction" asp- action="Add“>
- 12.
- 13. Thanks! Any questions? You canfind me at: @FiyazBinHasan www.fiyazhasan.me