Search code examples
c#securityasp.net-mvc-5antiforgerytokencsrf-protection

How to prevent CSRF attack through Anti Forgery GET request

My question is on ASP.NET MVC 5, regarding XSS/CSRF attack.

ASP.NET MVC gives a provision to prevent CSRF attack by generating Anti Forgery Token.

But this token can be used only with POST request.

As per my testing team to prevent CSRF attack every request should have a token number and they are asking to have only POST request not a single GET request.

so my question is:

  1. Do we need to have POST request only to prevent CSRF attack?

  2. How can we generate and send Anti Forgery Token through GET request?

Solution

  • If you have pages that display information to the user then these should be GET methods.

    Examples of GETs:-

    • View Basket.
    • Display user details form.
    • Display product.

    However, if a page makes changes to the database or makes a permanent change (e.g. submitting card details) then these should be POST.

    Examples of POSTs:-

    • Page that is called when basket is saved/changed.
    • Page that is called when user details are saved.
    • Login.
    • Logout (an easy one to miss - usually sites implement this as GET).

    If your site is using the correct method for each action, then you should only need to implement CSRF protection for POST methods. However, if you have accidentally used GET where a POST should have been used (e.g. logout), then a fix for this is to pass the CSRF token along the query string (e.g. www.example.com/UserAccount/Logout?token=12345) - changing to a POST though is recommended.

    You would have to write your own code to validate the token in this case as ASP.NET MVC ValidateAntiForgeryToken only works with POST requests. See here for how to make ValidateAntiForgeryToken work with GET.