samedi 5 juillet 2014

How does CSRF validate token?


Vote count:

0




Here is scenario.


I have following Action methods in controller named Default1.



[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult testing()
{

return View();
}

public ActionResult testing1()
{

return View();
}


Their corresponding Views are:


// testing1.cshtml



@{
ViewBag.Title = "testing1";
}

<h2>testing1</h2>

<form action="/Default1/testing" method="post">
@Html.AntiForgeryToken()
<input type="submit" value="submit"/>
</form>


// testing.cshtml



@{
ViewBag.Title = "testing";
}

<h2>testing</h2>

<h1>successfully validated cookie</h1>


So first I visit /Default1/testing1 which sets HttpOnly cookie. In the request which a hidden field is also added which has a token. Here is that input field.



<input name="__RequestVerificationToken" type="hidden" value="qgahCspc_DQBSQTkFR5_NmPDGygciZPNxt7BmqZE9NpmVzrbbo1N43T3RDjJvrMUmsq4MT5vUqvvQF4SCrSQXnQpKB9THGNA5hVcVu6exIQ1">


Following is screen shot of response header, Http cookie can be seen in red circle.


enter image description here


I thought first HttpOnly is set and on post request value from hidden field & value of HttpOnly Cookie are compared if both are equal then we are considered to be validated. But as it can be seen both these values are different. This mechanism is working. Question is how? Is one of these value is encrypted which is decrypted later before comparison.



asked 21 secs ago






Aucun commentaire:

Enregistrer un commentaire