How to prevent CSRF attack through Anti Forgery GET request

1
votes

My question is on ASP.NET MVC 5, regarding XSS/CSRF attack.

ASP.NET MVC gives a provision to prevent CSRF attack by generating Anti Forgery Token.

But this token can be used only with POST request.

As per my testing team to prevent CSRF attack every request should have a token number and they are asking to have only POST request not a single GET request.

so my question is:

  1. Do we need to have POST request only to prevent CSRF attack?

  2. How can we generate and send Anti Forgery Token through GET request?

2
c#securityasp.net-mvc-5antiforgerytokencsrf-protection
Antiforgerytoken in asp.net mvc always produce a hidden field in ur html page if u want to use that antiforgery token in case of ajax get request then u can get token value with help of jquery by selecting token through id or class...user2138919

2 Answers

2
votes

If you have pages that display information to the user then these should be GET methods.

Examples of GETs:-

  • View Basket.
  • Display user details form.
  • Display product.

However, if a page makes changes to the database or makes a permanent change (e.g. submitting card details) then these should be POST.

Examples of POSTs:-

  • Page that is called when basket is saved/changed.
  • Page that is called when user details are saved.
  • Login.
  • Logout (an easy one to miss - usually sites implement this as GET).

If your site is using the correct method for each action, then you should only need to implement CSRF protection for POST methods. However, if you have accidentally used GET where a POST should have been used (e.g. logout), then a fix for this is to pass the CSRF token along the query string (e.g. www.example.com/UserAccount/Logout?token=12345) - changing to a POST though is recommended.

You would have to write your own code to validate the token in this case as ASP.NET MVC ValidateAntiForgeryToken only works with POST requests. See here for how to make ValidateAntiForgeryToken work with GET.

1
votes

It can not be done with get, POST needed and a big reason is that HTTP GET should be idempotent and it should not change any behavior in the application, it should only be used to get data.

So if you are changing the behavior from GET please make it POST and then you can use Anti Forgery Token.