Benutzer:MovGP0/ASP.NET Core/Anti-Forgery

aus Wikipedia, der freien Enzyklopädie
   MovGP0        Über mich        Hilfen        Artikel        Weblinks        Literatur        Zitate        Notizen        Programmierung        MSCert        Physik      
Programmierung


ASP.NET
Common

OWIN • Razor • WebForms • MVC • WebAPI

Core

Configuration • Data Protection API • Dependency Injection • Routing

Attack Vectors

HTTPS • HSTS • HPKP • CSP • CSRF • Anti-XSS • CORS • Open Redirection • Click-Jacking

Libraries

OpenID • Azure AD


Cross-Site Request Forgery (CSRF)

Synchronizer Token Pattern (STP)

<input type="hidden" name="csrftoken" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt" />
  • All MVC-Forms have an anti forgery token 
    @using (Html.BeginForm("ChangePassword", "Manage"))
{
    // ...
}
  • Provide token manually if form is is HTML 
    <form action="/" method="post">
    @Html.AntiForgeryToken()
</form>
Validation
Validation of the token is done by placing an attribute on the MVC controller or method.
An attribute given on a lower level overrides attributes at a higher level
[ValidateAntiForgeryToken] always validate the token
[AutoValidateAntiforgeryToken] validate the token except for GET, HEAD, OPTIONS, TRACE
[IgnoreAntiforgeryToken] do not validate the token (use for save methods only)
Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
    options.FormFieldName = "csrftoken";
    options.RequireSsl = true;
});

Cookie

Wird im HTTP-Header deklariert: 

Set-Cookie: Csrf-token=i8XNjC4b8KVok4uw5RftR38Wgp2BFwql; expires=Thu, 23-Jul-2015 10:25:33 GMT; Max-Age=31449600; Path=/
  • MUST NOT have an httpOnly flag! Needs te be processed by JavaScript.
Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
    options.CookieName = "CsrfCookie";
    options.CookiePath = "/";
    options.CookieDomain = "example.com";
    options.RequireSsl = true;
});

HTTP-Header / REST

Microsoft.AspNetCore.Antiforgery
services.AddAntiforgery(options => {
    options.HeaderName = "X-Csrf-Token";
    options.RequireSsl = true;
});

There are multiple headers used:

HTTP-Headers
X-Csrf-Token Standard
X-XSRF-TOKEN Angular
X-Requested-With jQuery
X-CSRF-TOKEN Java Play Framework
X-Requested-By Oracle Jersey

Manuelle Validierung: 

csrf_token = HMAC(session_token, application_secret)

XMLHttpRequests

For old Browsers that allow Cross-Site XMLHttpRequests, the Origin headers have to be checked: 

// pass if Origin header is ok
var expected = new Regex("^https?://myserver.com$"); // compare with URI for production code
var origin = request.Headers["Origin"].SingleOrDefault();
if(expected.Matches(origin)) return Next(request);

// pass if the request was not done with XmlHttpRequest
var requestedWith = request.Headers["X-Requested-With"];
if(!requestedWith.Any(rw => rw.Equals("XmlHttpRequest", StringComparison.InvariantCultureIgnoreCase))) return Next(request);

// deny otherwise
var response = context.Response;
response.StatusCode = 401;
return response.WriteAsync("Access denied.");

Verteilte .NET Core Anwendung

Bei einer verteilten .NET Core Anwendung muss das Application Secret (IAntiForgery) und der AntiforgeryTokenStore (IAntiforgeryTokenStore) zentral implementiert und in der DI überschrieben werden.

Siehe auch: Microsoft.AspNetCore.Antiforgery

Quellen
Abgerufen von „https://de.wikiup.org/index.php?title=Benutzer:MovGP0/ASP.NET_Core/Anti-Forgery&oldid=198988610