23

Is there a way to ensure ASP.NET MVC 4 forms are protected against CSRF by default?

For instance, is there a way to have AntiForgeryToken automatically applied to all forms in both views and controller actions?

Background on this question: Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper and Anatomy of a Cross-site Request Forgery Attack.

Fernando Correia
  • 21,803
  • 13
  • 83
  • 116
  • I suspect that this is only really necessary on forms that grant access, such as login forms or user rights administrative forms, or forms that submit personally-identifiable information such as social security numbers and pass phrases. But I look forward to seeing the answers. – Robert Harvey Apr 01 '12 at 14:59
  • 4
    Since CSRF may allow anyone to execute any action on a web application under your credentials, it seems to me that all actions that enter or modify data should be protected against it. For example, adding a record to an accounting application. – Fernando Correia Apr 01 '12 at 15:07
  • 1
    They would, of course, need your credentials first. :) – Robert Harvey Apr 01 '12 at 15:10
  • 2
    On the contrary. The nature of CSRF attacks is that can be done without having your credentials. Please refer to [1](http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx), [2](http://en.wikipedia.org/wiki/Cross-site_request_forgery). – Fernando Correia Apr 01 '12 at 15:13
  • Ah, I see. So the attacker is capturing your authentication cookies. – Robert Harvey Apr 01 '12 at 15:16
  • Not quite; the same-origin policy in browsers prevents that. The attacker is submitting a form post to your web app and the authentication cookie goes along with it. This vulnerability is widespread. – Fernando Correia Apr 01 '12 at 15:19
  • Well, the only way to do it would probably be to hack the ASP.NET MVC code to perform this automatically. You need changes in both the view and the controller, so simply inheriting from a base controller wouldn't do it, and I'm not sure creating a fork of the ASP.NET code base to accomplish this is the best idea. – Robert Harvey Apr 01 '12 at 15:21
  • Funny where this discussion left off... @RobertHarvey the attacker doesn't take your authentication cookies, they just stage the attack when they suspect your in an authenticated session. Like you know someone works in webapp X while at work so you craft a post to change their password, make some fake little site that submits it and email them the link telling them they urgently need to follow it. Also, this solution does half the legwork for you but the MVC paradigm just sort of sucks. It's unnecessary verbose, tedious to implement and prone to developer oversight. – evanmcdonnal Jul 07 '15 at 17:00
  • @evanmcdonnal: You prefer PHP, I assume? – Robert Harvey Jul 07 '15 at 17:01
  • @RobertHarvey lol no. If the views could be handled the same as the controllers then it would be fine. My problem here is with the need to copy/paste the same line of code into potentially hundreds of views. And, had I not found this question, the same would be true of my controllers. That just doesn't make sense. A clever implementation could have been done fully without developers having any awareness **and** it should have been. IF designed in the framework correctly it would be about 10 lines of JS and 50-100 lines in some location like `Application_BeginRequest()`. – evanmcdonnal Jul 07 '15 at 17:44
  • @evanmcdonnal: You're thinking in terms of old-school Webforms. `Application.BeginRequest()` provides no separation of concerns whatsoever, and Webforms applications have a deserved reputation of being plates of spaghetti. If you're doing a lot of copy/pasting, you're doing it wrong; ASP.NET MVC is firmly committed to DRY. – Robert Harvey Jul 07 '15 at 18:21
  • @RobertHarvey I'm not saying that is the exact place to put the code. Only that I shouldn't have to repeat it all over the project instead of making it a precondition for handling the request. Why should MVC even pass it to my handler if the basic security requirement hasn't been met? I see it as a responsibility of the framework like handling session state. What do you mean I'm doing it wrong if I'm copying/pasting? MSFT says I need this; `<%= Html.AntiForgeryToken() %>` in my views, I have about 600 of them in the app I'm implementing CSRF-protection in... – evanmcdonnal Jul 07 '15 at 18:27
  • @evanmcdonnal: Seems like a layout would be a good place to put that, but I'm not sure. – Robert Harvey Jul 07 '15 at 18:30
  • @RobertHarvey thanks for the pointer. I'll investigate that option. If I have a one to many layout to view relationship (which sounds like a good idiomatic design) then it could work very well. – evanmcdonnal Jul 07 '15 at 18:32

4 Answers4

24

To add to osoviejo's excellent answer, the instructions below, from my recent blog post on CSRF, put his work together with the information in Phil's blog in one comprehensive answer.

ASP.NET/MVC provides a mechanism for this: you can add to to a collection of filters on the global FilterProviders object. This allows you to target some controllers and not others, adding the needed security feature.

First, we need to implement an IFilterProvider. Below, you can find Phil Haack's Conditional Filter Provider class. Begin by adding this class to your project.

public class ConditionalFilterProvider : IFilterProvider
{
    private readonly
      IEnumerable<Func<ControllerContext, ActionDescriptor, object>> _conditions;

    public ConditionalFilterProvider(
      IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions)
    {
        _conditions = conditions;
    }

    public IEnumerable<Filter> GetFilters(
        ControllerContext controllerContext,
        ActionDescriptor actionDescriptor)
    {
        return from condition in _conditions
               select condition(controllerContext, actionDescriptor) into filter
               where filter != null
               select new Filter(filter, FilterScope.Global, null);
    }
}

Then, add code to Application_Start that adds a new ConditionalFilterProvider to the global FilterProviders collection that ensures that all POST controller methods will require the AntiForgeryToken.

IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions = 
    new Func<ControllerContext, ActionDescriptor, object>[] {
    // Ensure all POST actions are automatically 
    // decorated with the ValidateAntiForgeryTokenAttribute.

    ( c, a ) => string.Equals( c.HttpContext.Request.HttpMethod, "POST",
    StringComparison.OrdinalIgnoreCase ) ?
    new ValidateAntiForgeryTokenAttribute() : null
};

var provider = new ConditionalFilterProvider(conditions);

// This line adds the filter we created above
FilterProviders.Providers.Add(provider);

If you implement the two pieces of code above, your MVC application should require the AntiForgeryToken for every POST to the site. You can try it out on Phil Haack's CSRF example web site - once protected, the CSRF attack will throw System.Web.Mvc.HttpAntiForgeryException without having to add the [ValidateAntiForgeryToken] annotation. This rules out a whole host of "forgetful programmer" related vulnerabilities.

Kyle
  • 963
  • 3
  • 16
  • 32
12

You can use a filter provider with a condition that the filter ValidateAntiForgeryTokenAttribute() be applied whenever HttpContext.Request.HttpMethod == "POST".

I essentially followed the generic approach described by Phil Haack, and added the appropriate condition:

// Ensure all POST actions are automatically decorated with the ValidateAntiForgeryTokenAttribute.
( c, a ) => string.Equals( c.HttpContext.Request.HttpMethod, "POST", StringComparison.OrdinalIgnoreCase ) ?
 new ValidateAntiForgeryTokenAttribute() : null
osoviejo
  • 481
  • 6
  • 17
  • 1
    I've combined this answer with the information about ConditionalFilterProvider's from Phil's blog post in a recent post about CSRF and ASP.NET/MVC. http://kylehodgson.com/2013/01/08/asp-netmvc-web-security-basics-csrf/ – Kyle Jan 10 '13 at 04:17
2

One way to do it would be to modify the T4 templates in ASP.NET MVC that create forms, to have them insert this code automatically:

<% using(Html.Form("UserProfile", "SubmitUpdate")) { %>
    <%= Html.AntiForgeryToken() %>
    <!-- rest of form goes here -->
<% } %>

And of course, you need the corresponding attribute on the controller method:

[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
    // ... etc
}

It's really not that difficult to retrofit an application in this manner, unless it's unusually large. The last application I wrote in MVC would probably take me a couple of hours to retrofit.

Robert Harvey
  • 178,213
  • 47
  • 333
  • 501
  • Robert, thank you for this sample code. It is helpful. But I'm trying to find out if there is a way to automatically have this applied over all forms and all controller actions, as a blanket. For instance, to prevent the possibility of forgetting to add the attribute to the controller method. – Fernando Correia Apr 01 '12 at 15:52
2

I have used FXCop to write two code analysis rules one that require that a HttpMethod attribute is applied to all controller actions and a second that requires any action that has a HttpPost attribute must also have a RequiresAntiForgeryToken attribute.

This worked well for us. The rules are not particularly hard to write

martin308
  • 706
  • 6
  • 20