'csrf vulnerability testing

I have hosted a small MVC application on IIS using localhost on machine A. I have the following html in the home page. The domain here is the IP address of machine B for testing purposes.

<div class="row">
    <div class="col-md-4">
        <h2 class="jumbotron">You have won a prize!</h2>
        <p>
            To redeem your prize. Click this button.
        </p>
        <form action="http://target_IP_address/eline/webController/Populate" method="POST">
            <input type="hidden" name="dateF" value="3/16/2022 3:01:26 PM" />
            <input type="hidden" name="dateT" value="3/17/2022 3:01:26 PM" />
            <input type="submit" class="btn btn-primary btn-lg" value="Give me my prize" />
        </form>
    </div>  
</div>

Now, in machine B I am logged into the vulnerable website. I then click on a link that takes me to the website hosted on machine A. When I arrive to the website, I click on the the "submit" button. Here is where my confusion begins. There is no record of this request being made in machine B. I do see the request in machine A. This is what I see.

enter image description here

I was under the impression that I would see the request on machine B. Since I am seeing it in machine A I am sure I am messing up somehow. The fix I implemented to check csrf attacks is supposed to attach a custom header (csrf-detected:1) to the response if the request is missing another custom header (csrf-token:some unique token). Since this header does not show up in the "Response Headers" section, I'm thinking the check did not occur before the Populate method in the webController. Can anyone point out what I'm doing wrong?

asp.net-mvcsecuritycsrf


Solution 1:[1]

To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens.

  1. The client requests an HTML page that contains a form.
  2. The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
  3. When the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data. (A browser client automatically does this when the user submits the form.)
  4. If a request does not include both tokens, the server disallows the request.

To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper method:

@using (Html.BeginForm("Manage", "Account")) {
    @Html.AntiForgeryToken()
}

This method adds the hidden form field and also sets the cookie token.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 moinmaroofi

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application