Search code examples
asp.net-core-2.0fiddlerantiforgerytoken

AspNetCore Antiforgery and Fiddler

Which anti-forgery keys is required to make post calls with programs like Postman or Fiddler? It seems like I have both a cookie and also a hidden form-data variable. Which should I use, and how do the anti-forgery checks work? I am using a simple web application (ASP Core 2.2.) that saves the user claims as a cookie.

enter image description here

My Create User page:

@page
@model WebAppTry3.Pages.CreateUserModel
@{
    ViewData["Title"] = "CreateUser";
    Layout = "_layout";
}

<h2>CreateUser</h2>

<form method="post">
    <input asp-for="Name" />
    <input type="submit" value="SKicka" />
</form>

This is how my form looks when displayed as HTML:

<form method="post">
    <input type="text" id="Name" name="Name" value="" />
    <input type="submit" value="SKicka" />
    <input name="AntiforgeryFieldname" type="hidden" value="<alot of characters...>" />
</form>

My Razor Page model:

public class CreateUserModel : PageModel
    {
        [BindProperty]
        public string Name { get; set; }

        public string Message = "Hm";

        public void OnGet()
        {            
        }

        public void OnPost()
        {            
            var name = Name;                        
            Message = "Inside the OnPOST";            
        }
    }

I tried to make a POST request with Fiddler with this input data, but I still get a status code 400. I copied the cookie from chrome when I ran the web application.

User-Agent: Fiddler
Host: localhost:4138
Content-Length: 0
Cookie: .AspNetCore.Antiforgery.Outs1Mq9yYA=<cookie value>
Request-body
Name: dddd
AntiforgeryFieldname: <long key>

enter image description here

EDIT : The purpose of the question is to understand which keys I need to get, to make a POST request in my Integration Tests.

Solution

  • After a couple of tries with Fiddle I finally managed to make a POST-request that responded with status code 200. These are the input data I used (I copied it from a get request).

    Headers

    User-Agent: Fiddler

Host: localhost:4138

Cookie: .AspNetCore.Antiforgery.Outs1Mq9yYA=CfDJ8Ig7LmCVzbFNldSD5Hjy-zm1fb4NILdlKScOD-N5H1EUwD98_nGsCRyWuX0lP82G0nj2tEyaGanTFgIvI9Msv27DNVBh08xFqRjfnB27Fmd0MyXlpW6RH2fX86CXsXZ0lLiUqqNzWcIbQuFgZUt7kQk

Content-Length: 192

Content-Type: application/x-www-form-urlencoded

    Request-body

    Name=dddd&__RequestVerificationToken=CfDJ8Ig7LmCVzbFNldSD5Hjy-zko3GB6hZztnIO6UPtkgxZMzPmWQbJft4mxROfI4y-V2yqQ3W9-xAn2kbgY2t9f4M8hkzzwfl7HiDOkRNFdji-pjtgkOhP_wXFJok4J04A5tO7ms_57FT8sqb91qM11-IM