I have one question about Mvc antiforgerytoken
In mvc razor page, we can place code: @Html.AntiForgeryToken()
inside the form, it will generate a token, this token will be fill into a hidden input field like:
<input name="__RequestVerificationToken" type="hidden"
value="6I2CsrmAhiDlHewQ4q4khXAENgaa66kDiGwHgaN5DV0f4W2_c2nyVA-q2OCingcgKLPNhSSeyuS_WaTmAGzpo3F5gUq9Wx89iXH1ujq6ZwGG5rO8v_F-4hYj5gEVZ1-E-DpxkcO7zIjMUKVH1bjPMo7Ot3UJHLl5r9isfCLyiOA1">
Question: I can easily create a request to download this mvc razor page to get token from "__RequestVerificationToken" field, then post bad data to attack specify server. Is this means antiforgery token function also not safe???
It's safe. Placing an anti forgery token to the form also creates a cookie named __RequestVerificationToken with the same token. This cookie is also validated to verify the request. Since the attacker can't add cookies to application domain, it can't pass this validation.
Steve Sanderson has a nice blog post that explains it in detail.