How to add integrity check (e.g. HMAC) to the ValidateAntiForgeryTokenAttribute

StackOverflow https://stackoverflow.com/questions/20071245

Question

I have been developing an ASP.NET MVC 4 web application that uses the MVC AntiForgeryToken to prevent CSRF attacks. Lately the application was audited by an security company and they claimed to have found a vulnerability in the AntiForgeryToken that we are using. The problem is that the token does not have an integrity check. It is possible to alter the token slightly and it will still pass as an valid token.

Is it possible to extend the basic ASP.NET MVC AntiForgeryToken so that it will include an integrity check (e.g. HMAC)? Are there any existing implementations available? Or do I simply need to write my own implementation of the CSRF token?

Was it helpful?

Solution

Edit:

In don't understand why there would be a vulnerability since the token is encrypted using System.Web.Security.MachineKey. You can customize which algorithms to use (HMAC is the default algo for validation) in machineKey element

Original:

The easiest way I can think of is to append your own secure token to the AntiForgeryToken by providing an IAntiForgeryAdditionalDataProvider.

public class UserAgentAntiForgeryAdditionalDataProvider : IAntiForgeryAdditionalDataProvider
{
    public string GetAdditionalData(HttpContextBase context)
    {
        return GenerateToken(context);
    }

    public bool ValidateAdditionalData(HttpContextBase context, string additionalData)
    {
        return string.Equals(GenerateToken(context), additionalData, StringComparison.Ordinal);
    }

    private string GenerateToken(HttpContextBase context)
    {
        return context.Request.UserAgent; //DON'T DO THIS IN PRODUCTION
    }
}

In Global.asax.cs

AntiForgeryConfig.AdditionalDataProvider = new UserAgentAntiForgeryAdditionalDataProvider();

OTHER TIPS

You should also take a look at the concept of stateless CSRF protection. There are 2 standard approaches to achieving this: the Encrypted Token Pattern and the Double Submit Cookie pattern. The Encrypted Token Pattern leverages a Rijndael-encrypted Token whose integrity is maintained by a SHA256 hashing algorithm.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top