webmatrix–helpers–antiforgery

Wednesday, October 13, 2010

On Oct 6 2010, ScottGu (I prefer to call him His Guness : ) ) announced BETA 2 release of WebMatrix. You can check the official release blog post here. You can read the beta 2 release readme here.

I have been following WebMatrix lately. This is one of the blog post series on the WebMatrix helpers. As part of Beta 2 following helpers were added to WebMatrix:

Antiforgery
Bing
Json
Themes

In my last blog post i talked about Bing helper. This blog post i will be looking in to “Antiforgery” helper. So lets dive into topic then.

What is Anti Forgery in web application?

To answer this we should first know what is CSRF – Cross-Site Request Forgery. Here is the WikiPedia explanation for this:

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF ("sea-surf"^[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.^[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

To know more about the subject please visit WikiPedia.

Anti Forgery is nothing but one of the mechanism to stop the CSRF attack.

How does the Anti Forgery Helper help us?

This helper works in two folds. First this will help you to embed a anti forgery token as a field in your form. Second this will help you to validate the token whenever you have a form posted. This also has the capability to generate a default token or take a salt to generate a very specific token for you. Using salt is always better so that its like your own secret key for the token generation.

Anti Forgery Helper API in WebMatrix:

We can find the Anti Forgery Helper API in the following assembly:

System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

This API exposes 2 public methods. Lets have a look at them one by one.

i. public static HtmlString GetHtml(string salt)

- This method will out put the anti forgery token as a hidden form field in your form. Have a look at the screen shot below:

As you can see this will output the value of the hidden field as a binary encoded data.

- The only parameter to this method – what we call as salt – is optional and default value is “null”. If you provide a salt while generating the anti forgery token using the this method, while validating you need to make sure that you provide the same salt. More on this in the below section.

ii. public static void Validate(string salt)

- This method is used to validate the anti forgery token on the server during your processing.

- This will method will validate your form posting for the presence of the token. If not found meaning if this was a cross site request – will raise a HttpAntiForgeryException.

As you can see the API itself is very neat and cute one : ). It has only 2 methods but does all the work required for your to protect your site from the CSRF. Now lets see some code syntax on how to use this.

Anti Forgery Helper API Usage Syntax:

As you can see from the above code, the usage of the anti forgery helper API syntax is quite simple. You use the GetHtml() method inside the form so that it embeds the token. Then on the server side when you are processing the form – call the Validate() method to check if the request is a cross site request. That’s it. And you have evaded the cross site request attack.

So what exactly happens is – The GetHtml() does 2 things. It creates a HttpCookie for the site which contains the same token value as the form field. In the Validate method you just check if the cookie and the form value tokens match. So if somebody somehow does do a cross site request forgery they will be missing the cookie or the form field for the anti forgery token and that’s how your code will be alerted when you are doing the form processing.

Well this was just my attempt to understand the Helper. Hope it helped you too. Let me know your comments if you do read this. That will help me a lot.

Till next time, Happy coding. Code with passion.

del.icio.us Tags: WebMatrix,AntiForgery,CSRF

Technorati Tags: WebMatrix,AntiForgery,CSRF

40 Comments

nice post, I enjoy it

weddingdress2011 - Thursday, September 1, 2011 2:49:47 AM

Yes there should realize the reader to RSS my feed to RSS commentary, quite simply

hooher tod - Tuesday, September 6, 2011 6:12:48 PM

This is a really good read for me, Must admit that you are
one of the best bloggers I ever saw.Thanks for posting this informative article.

wedding dress - Friday, October 14, 2011 2:48:12 AM

One day, strong go out shopping, found a shop to hang was full of all kinds of clothes, the door on the glass: "open a shop DaChouBin, high-grade suit 30 yuan each, shirt 5 yuan each......"
Strong sense happy heart: so good it is finally be I catch up with it! So hurry to blunt, in the moment of the door looked up to see: "the dry cleaner."

belstaff - Friday, October 14, 2011 8:41:40 AM

If you are a dude that is certainly showing the pendant on the woman you cherish as the specific surprise, you possibly can obtain ovals the fact that match up with cooler areas of the woman's view. It's not possible to actually be unsuccessful with all the a glass pellets.

pandora jewellery - Monday, October 24, 2011 8:50:49 AM

It's really a wonderful job. This message contains useful information that helps us a lot. I have never seen such a large contribution. Can inspire your wonderful message and help us a lot. I visit your site often and share with friends.

hoodies for men - Monday, October 31, 2011 5:02:36 PM

Good writing ... keep posting dear friend
This discussion assumes unexpected connect my attention inward. Well, after reading
each of them, it gives me new ideas for my blog. thank you

water damage restoration - Tuesday, November 1, 2011 4:54:00 PM

No matter you are a gentle man or a charming lady, no matter you are old enough or you are just a little kid, put on the glamour of the Moncler, confident will exist beside you. Noble Moncler is like a strong warm spring breeze to warm the people's hearts, and make them feel the awaken of spring in the bitter cold. Our website has collected the latest Moncler outlet style and all kinds of classification. Come on, put out your finger, click our website, you will get the best service and the highest quality.Here, you will experience to the joys of shopping heaven!

moncler coat - Thursday, November 10, 2011 12:53:34 AM

High-quality Moncler jackets along with Moncler Applications using modern-day along with well-designed design and style are generally individualâ€™s favorite apparel. If you are interested a jackets with regard to friends, Moncler is the greatest choice for a person, it is not really simple clothing but a detailed friend for a person.

moncler coat - Thursday, November 10, 2011 12:57:15 AM

Slimming plus size evening dresses are very easy to find online. One of the most popular slimming styles are empire waist plus size evening dresses.

Bridesmaid Dresses - Tuesday, November 15, 2011 5:33:50 AM

i like the reading

wedding dresses - Wednesday, November 30, 2011 7:35:16 AM

One of the most popular slimming styles are empire waist plus size evening dresses.

microsoft office 2007 - Tuesday, December 13, 2011 3:01:37 AM

Love is difficult. Once we fall in love, we fall. I love Celery.

wedding bridesmaid dresses - Friday, December 16, 2011 7:30:30 AM

new new era hats In the course of researching his book, Popa started collecting definitions that have

new era caps wholesale - Wednesday, December 28, 2011 5:56:39 AM

Love can touch us one time and lasts for a lifetime. I love Celery.

bridesmaid dresses - Tuesday, January 10, 2012 3:20:12 AM

The next tool and the specific operation of commercial business model innovation and the challenges facing, we must first focus on the needs of the customer as the center, purchase channels, spacious, centralized delivery, wide range of products, access to information, extensive links, but also for the customer selection of high quality price Lim, short delivery tool brand, especially those with special expertise in the small and medium sized enterprises tool products.

headphones dr dre - Wednesday, January 18, 2012 8:11:42 AM

making them feel more confident about themselves.If you have made the decision to undergo a nose job, then you should find a surgeon who will provide you with all the necessary advice and guidance you need. They should show you pictures of potential nose shapes so that you can make a collective decision as to which is most likely to suit the look of your face.

cheap the north face jackets - Tuesday, January 31, 2012 7:17:16 AM

With the holiday shopping season just around the corner, have you thought about what you'll get the pilot in your life? If your favorite aviator has hinted that he would like a new pair of pilot headphones, fret not. Though headset shopping can seem like a daunting task, use the guidelines below to find a quality earphone model that your family flier will love.

cheap dr dre headphones - Tuesday, January 31, 2012 3:20:21 PM

Even if it's true that for these products are worth every cent you pay for them, you still want to be able to save as much money as possible.

north face outlet online - Wednesday, February 1, 2012 1:15:25 PM

This was very useful...we have an ecommerce site and we need to know about Anti Forgery counter attacks.

san francisco, california home security - Wednesday, February 8, 2012 10:59:03 AM

Given that these jackets are so affordable you can acquire them in various weights and have 1 for every single event. Sporting fleece jackets is a lot far more at ease than their wool counterparts. Because fleece is light-weight you can be warm and cozy without feeling weighed down.

gr63@nfh.com - Tuesday, February 14, 2012 7:16:58 AM

In 1913 one of the most famous pens was released, what collectors refer to as the "snowflake". The Montblanc star become a brand hero, and was one of the pens to launch the company into infamy.

mont blanc pens sale - Wednesday, February 15, 2012 11:28:11 AM

I am glad to visit your site again.. I love reading your articles. You guys write well on article and so talented. I hope to see more article from you. Thanks for sharing.

domain name web hosting - Wednesday, March 21, 2012 6:43:55 AM

Wow! I could not even guess about it)) Not bad.

Kevin - Tuesday, March 27, 2012 4:27:38 AM

Really Great Blog! I like it. This is awesome one..

iPhone 4S Cases - Monday, April 23, 2012 8:24:38 PM

Is this really a carrier from Chloe? With the basic design as well as inharmonious colours combination, I practically think my own eyes.
This ndy?Satchel within eucalyptus buckskin is sort of dull to look at, yet because of in which zippered gusset which displays any darker-hued panel as it can make this carrier a little interesting. It also includes a twice top handles together with gold sq . website link attachments, a high zero closure, and several accents around the side.

DipsQuics - Thursday, May 31, 2012 4:13:29 PM

Is that a real carrier coming from Chloe? With the particular plain design and inharmonious colors combination, I practically think my own eyes.
This ndy?Satchel in eucalyptus buckskin is type of dull to check at, but because of in which zippered gusset which displays any darker-hued panel since it tends to make this kind of tote a little interesting. It furthermore has a double top addresses along with gold sq . website link attachments, a top zip closure, and some accents around the side.

DipsQuics - Thursday, May 31, 2012 10:02:30 PM

is the perfect daytime purse with plenty of room web hosting and company items. And it is versatile. At any office or even around the holiday you will end up considered like a girl of favor with this carrier on your own shoulder.

DipsQuics - Wednesday, June 6, 2012 2:32:17 AM

Great article! Coding is something that takes time to learn but can be a very valuable asset to have.

Wireless Home Security News - Thursday, July 19, 2012 7:56:22 PM

I'm still learning from you, while I'm making my way to the top as well. I certainly enjoy reading everything that is written on your blog.Keep the stories coming. I loved it!

buy wow gold - Saturday, October 13, 2012 1:18:23 AM

mceql brian urlacher jersey
cgafx greg jennings jersey
lvhbw phil dawson jersey
rwzzl joe flacco jersey
cpfzq mark ingram jersey

Jimmyza0se - Tuesday, October 23, 2012 3:37:03 AM

TwellaJep coach factory
TotInsuts coach outlet online
guethighsiz coach factory
Audisrurn coach.com
Audisrurn

reorcerak - Tuesday, October 23, 2012 9:00:58 AM

TwellaJep coach factory outlet
TotInsuts coach outlet
guethighsiz coach outlet store online
Audisrurn coach factory outlet online
Audisrurn

reorcerak - Tuesday, October 23, 2012 9:10:14 PM

Exactly what you are searching is needed by me also! I was simply searching for this alone and luckily got. I like it. But still the Conclusion Lags. I expect further more!

Best and Creative Advertising Company / Agency Chennai - Wednesday, January 23, 2013 5:18:59 AM

jer ve had McClain content articles
5 Million of cloud employer products DynamicOps

jordan13dwzpj - Sunday, March 17, 2013 5:26:10 PM

Baby drops dead as a result of indication of earlier tissue layer rupture skipped
Biofilters designed for gdn wetlands

jordan13eeujx - Monday, March 18, 2013 12:17:38 PM

When I originally commented I clicked the "Notify me when new comments are added" checkbox and
now each time a comment is added I get several e-mails with the same comment.

Is there any way you can remove people from
that service? Thanks!

Gooden - Monday, March 25, 2013 11:42:45 PM

thanks for this nice post, i like it

pipe making machine - Tuesday, March 26, 2013 6:58:37 AM

i like this nice sharing,thanks for it

tube mill line - Tuesday, April 2, 2013 5:57:19 AM

I rarely leave a response, however i did a few searching and wound up here webmatrix–helpers–antiforgery - kashyapa's .NET Rumbles. And I do have a few questions for you if you do not mind. Could it be just me or does it look like some of the remarks come across as if they are coming from brain dead individuals? :-P And, if you are writing at additional online social sites, I would like to follow anything fresh you have to post. Would you make a list of all of your public pages like your Facebook page, twitter feed, or linkedin profile?

Boyer - Saturday, April 13, 2013 12:15:32 PM

Comments have been disabled for this content.