Edit:
In don't understand why there would be a vulnerability since the token is encrypted using System.Web.Security.MachineKey. You can customize which algorithms to use (HMAC is the default algo for validation) in machineKey element
Original:
The easiest way I can think of is to append your own secure token to the AntiForgeryToken by providing an IAntiForgeryAdditionalDataProvider.
public class UserAgentAntiForgeryAdditionalDataProvider : IAntiForgeryAdditionalDataProvider
{
public string GetAdditionalData(HttpContextBase context)
{
return GenerateToken(context);
}
public bool ValidateAdditionalData(HttpContextBase context, string additionalData)
{
return string.Equals(GenerateToken(context), additionalData, StringComparison.Ordinal);
}
private string GenerateToken(HttpContextBase context)
{
return context.Request.UserAgent; //DON'T DO THIS IN PRODUCTION
}
}
In Global.asax.cs
AntiForgeryConfig.AdditionalDataProvider = new UserAgentAntiForgeryAdditionalDataProvider();