Aspnetcore.docs: Anti-Request Forgery

Should reference https://github.com/aspnet/Docs/issues/134

Hi there,

Will the URL at https://docs.asp.net/en/latest/security/anti-request-forgery.html stay stable once the docs drop?

As the project lead of OWASP Top 10 2007, OWASP Developer Guide 2.0, and OWASP Application Security Verification Standard 3.0, would love to give as much of the security documentation you've got ready a review before it goes final. I'm easily reachable by the usual means, but best through my owasp address.

I've been developing some unit tests around high functioning CSRF implementations, happy to share code if you don't have a lot of tests for the CSRF functionality in ASP.NET core at the moment.

@rynowak @blowdart @Tratcher see offer of tests for the CSRF functionality in ASP.NET core
@danroth27 please respond to URL stability.

@vanderaj There may still be some URL churn before we go final.

@vanderaj Feel free to submit a PR to https://github.com/aspnet/antiforgery with additional tests.

@blowdart @rynowak please review this request antiforgery doc plan:

• Combine Web API and MVC XSRF/CSRF Prevention into one asp.net core article
• introduce https://github.com/aspnet/Antiforgery middleware for Web API
• show snippets from Angular JS with Antiforgery middleware using https://github.com/aspnet/Antiforgery
• [edit] show Tag helper generated token & use

We should include in this article documenting the new automatic anti-request forgery support in MVC

@spboyer take a look

@blowdart @rynowak please review this request antiforgery doc plan:

Yes, that's a doc plan :D

I'd like to see getting the form token part in javascript, rather than having to write a form

• Combine Web API and MVC XSRF/CSRF Prevention into one asp.net core article
• Introduce https://github.com/aspnet/Antiforgery middleware for Web API
• Show snippets from Angular JS with Antiforgery middleware using https://github.com/aspnet/Antiforgery
• Show Tag helper generated token & use

Document outline update after discussion with @rynowak

• Introduction: What is Antiforgery.
  
  
  
  • Attack Description
  
  
  • When is it a problem? With cookie auth or integrated auth. Is it a problem with API calls? It depends on how you're authenticating. If using cookie auth (the likely case) then this can be an issue - they should send the CSRF token. Note: don't specify that you're attesting the request is definitely coming from your app since it's impossible to assure this without full control over the full system.
  
  
  • How ASP.NET Core addresses the problem...
  
  
• MVC
  
  
  
  • Filters
  
  
  • ValidateAntiforgeryToken
  
  
  • New Features
    
    
    
    
    
    • AutoValidateAntiforgeryToken
    
    
    
    • IgnoreAntiforgeryToken
    
    
    
  
  

• Note that all of MVC's ways of creating forms will create tokens. It's opt-out to stop this behavior.
• Current templates use explicit attributes, not auto-validation. We recommend auto-validation for typical MVC scenarios (not web api, since there's no automatic sending of the non-cookie part of the token). In order to turn it off, use the IgnoreAntiforgeryToken attribute.
• Even for anonymous posts, you should send the token.
• Note: the token will change once you authenticate. So for instance, Angular assumes the token won't change. If you do login/logout over ajax, you need to write code to refresh the token for angular.

• There are load-balancing scenarios to consider. If there are multiple servers, they all need to share a data protection keyring. Refer to data protection docs for more info. https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

• JavaScript (Ajax) / SPA

  • Web APIs that need to be callable by non-browser clients (native apps, for instance)
• IAntiforgery
  
  
  
  • Options : setting header, cookie name.
  
  
• Fundamentals
  
  
  
  • UserTokens
  
  
  • Cookies
  
  
• Samples
  
  
  
  • MVC: TagHelpers, HTMLHelpers
  
  
  • SPA: sample using Angular and Web API
  
  
  • Show generic non-Angular sample
  
  

@danroth27 @spboyer I might work on this with @fiyazbinhasan - see his reventing XSRF in AngularJS Apps with ASP.NET CORE Anti-Forgery Middleware

@Rick-Anderson ok got it.

@danroth27 @spboyer - @fiyazbinhasan is going to start working on this. The outline after meeting with @rynowak doesn't mention

• - Combine Web API and MVC XSRF/CSRF Prevention into one asp.net core article

But we'll want to combine these two articles - but at the same time follow the outline. @rynowak is that OK with you?

@danroth27 @spboyer - @fiyazbinhasan is going to start working on this. The outline after meeting with @rynowak doesn't mention
•- Combine Web API and MVC XSRF/CSRF Prevention into one asp.net core article

@Rick-Anderson
It would be totally fantastic, if you could include some information on how to customise when the Anti Forgery token expires - instead of just at the end of the browser session.

CSRF tokens shouldn't expire, unless the underlying identity changes.

You can see the start of this at https://www.dropbox.com/sh/jfmncpp0z79m9mt/AAAAB98zC4J7f9g_l6egU8nta?dl=0

@Rick-Anderson
If you can spare the time, please include:

• enabling only HTTPs anti-forgery tokens
• how HttpOnly flag set to "true" would work with SPAs like Angular
• about XST

I also really like this article:
http://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/

For reference: #1945

This sample is easily found: https://github.com/aspnet/Antiforgery/tree/dev/samples/AntiforgerySample
But we should update to the Entropy sample: https://github.com/aspnet/Entropy/tree/dev/samples/Mvc.AjaxAntiforgeryAuth.Web

The Angular way of passing the token is very angular-specific. A more generic approach would be more widely applicable.

@fiyazbinhasan can you write a more generic sample? @danroth27 do we want both an angular and a generic sample? I was thinking angular is very popular and would justify a specific example.

Yes we just discussed and we want both an Angular and a generic example (or more than one: web vs. native clients for instance)

@ardalis you can find a ajax(javascript) example on the bottom of this doc @Rick-Anderson provided earlier. I used Jquery for making the task of cookie parsing easier. I can write a raw one if you want :)

var csrfToken = $.cookie("CSRF-TOKEN");       

$.ajax({
  url: "/api/transaction",             
  contentType: "application/json",             
  data: JSON.stringify({"transactionAmount": 100, "transactionType": "DEBIT"}),             
  type: "POST",             
  headers: {"X-CSRF-TOKEN": csrfToken }});

https://www.dropbox.com/sh/jfmncpp0z79m9mt/AACejY50rKGjSPpAnd5m2q_8a/Preventing%20XSRF%20in%20ASP.NET%20CORE.docx?dl=0

aspnet/antiforgery#119

@fiyazbinhasan thanks for the assistance; please review #1945