ASP.NET Core | XSRF or CSRF

Cross-Site Request Forgery (XSRF/CSRF) is an attack where attacker that acts as a trusted source send some data to a website and perform some action. An attacker is considered a trusted source because it uses the authenticated cookie information stored in browser.
For example, a user visits some site 'www.abc.com' then browser performs authentication successfully and stores the user information in cookie and perform some actions, In between user visits some other malicious site 'www.bad-user.com' and this site contains some code to make a request to vulnerable site (www.abc.com). It's called cross site part of CSRF.
How to prevent CSRF?

  • In ASP.NET Core 2.0 or later FormTaghelper automatically inject the antiforgery tokens into HTML form element.
  • You can add manually antiforgery token in HTML forms by using @Html.AntiForgeryToken() and then you can validate it in controller by ValidateAntiForgeryToken() method

Comments

Post a Comment

Popular posts from this blog

ASP.NET Core | Change Token

A  change token  in ASP.NET Core is a general-purpose, low-level building block used to track state changes. Let me break it down for you: IChangeToken Interface : The  IChangeToken  interface propagates notifications that a change has occurred. It resides in the  Microsoft.Extensions.Primitives  namespace and is implicitly provided to ASP.NET Core apps via the  Microsoft.Extensions.Primitives  NuGet package. Key properties: ActiveChangeCallbacks : Indicates whether the token proactively raises callbacks. If set to  false , a callback is never called, and the app must poll  HasChanged  for changes. HasChanged : Receives a value that indicates if a change has occurred. Additionally, it includes the  RegisterChangeCallback(Action<Object>, Object)  method, which registers a callback invoked when the token changes 1 . ChangeToken Class : The  ChangeToken  class is static and used to propagate notifications that...
Read more

ASP.NET Core | Open Web Interface for .NET (OWIN)

Image
ASP.NET Core supports the Open Web Interface for .NET (OWIN). OWIN allows web apps to be decoupled from web servers. It defines a standard way for middleware to be used in a pipeline to handle requests and associated responses. ASP.NET Core applications and middleware can interoperate with OWIN-based applications, servers, and middleware. Running OWIN middleware in the ASP.NET pipeline ASP.NET Core’s OWIN support is deployed as part of the  Microsoft.AspNetCore.Owin  package. You can import OWIN support into your project by adding this package as a dependency in your  project.json  file: "dependencies" : { "Microsoft.AspNetCore.Server.IISIntegration" : "1.0.0" , "Microsoft.AspNetCore.Server.Kestrel" : "1.0.0" , "Microsoft.AspNetCore.Owin" : "1.0.0" }, OWIN middleware conforms to the  OWIN specification , which requires a  Func<IDictionary<string,   object>,   Task>  interface, and...
Read more

How will you improve performance of ASP.NET Core Application?

Cache aggressively Caching is discussed in several parts of this article. For more information, see  Overview of caching in ASP.NET Core . Understand hot code paths In this article, a  hot code path  is defined as a code path that is frequently called and where much of the execution time occurs. Hot code paths typically limit app scale-out and performance and are discussed in several parts of this article. Avoid blocking calls ASP.NET Core apps should be designed to process many requests simultaneously. Asynchronous APIs allow a small pool of threads to handle thousands of concurrent requests by not waiting on blocking calls. Rather than waiting on a long-running synchronous task to complete, the thread can work on another request. A common performance problem in ASP.NET Core apps is blocking calls that could be asynchronous. Many synchronous blocking calls lead to  Thread Pool starvation  and degraded response times. Do not  block asynchronous execution by...
Read more