Geeks With Blogs

News Please visit me at my new blog!!

profile for Aligned at Stack Overflow, Q&A for professional and enthusiast programmers
"free in Christ Jesus from the law of sin and death." Romans 8:2 (ESV) Check out the Falling Plates video on YouTube.
more about the Gospel
And then listen to Francis Chan speaking at LifeLight in SD.



Programming and Learning from SD

I just read this article in the June MSDN magazine by Peter Vogel and thought it needed to be highlighted. If you're using WebAPI you should think about Cross-Site Request Forgeries. It also applies to the 70-487 test.

"ASP.NET doesn’t automatically protect you against Cross-Site Request Forgery (CSRF/XSRF) attacks (more on that later)."

"When a user accesses an ASP.NET site using Forms Authentication, ASP.NET generates a cookie that stipulates the user is authenticated. The browser will continue to send that cookie on every subsequent request to the site, no matter from where that request originates. This opens your site to CSRF attacks, as does any authentication scheme where the browser automatically sends authentication information previously received. If, after your site provides the browser with the security cookie, the user visits some malicious site, then that site can send requests to your service, piggy-backing on the authentication cookie the browser received earlier.

To prevent CSRF attacks, you’ll need to generate antiforgery tokens at the server and embed them in the page to be used in your client-side calls. Microsoft provides the AntiForgery class with a GetToken method that will generate tokens specific to the user who made the request (who may, of course, be the anonymous user)." (continue reading for code examples and more information.

He also shows how to do custom authentication using an HTTPModule or MessageHandler by inheriting from DelegatingHandler.

http://msdn.microsoft.com/en-us/magazine/dn201748.aspx


NOTE: Preventing Cross Site Scripting Attacks in ASP.NET MVC 4 is related, but for MVC 4.

Posted on Monday, June 10, 2013 10:43 AM WebApi | Back to top


Comments on this post: Securing WebAPI and stopping CSRF requests

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Aligned | Powered by: GeeksWithBlogs.net