SlideShare a Scribd company logo

Sea surfing in asp.net mvc

M
magda3695

This document discusses ways to secure web applications from CSRF attacks. It describes how cookies and anti-forgery tokens can be used to authenticate requests and prevent request forgery. It provides examples of how attackers can hijack user sessions by stealing cookies and explains how to defend against these attacks using token-based validation. The document also addresses challenges in securing single-page apps and REST APIs and provides solutions like using a client-side API wrapper to generate and validate tokens for requests.

Technology
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
SEA-SURFING IN ASP.NET MVC BARTOSZ LENAR
THE PLAN BASICS  http requests  authentication  cookies  session SEA-SURFING  unfixable bug  hacking the system  csrf attack  token-based defence SPA  problems  server-side layer  client-side layer
FIDDLER responses requests
HTTP REQUEST  Method  Version  Host  Rest as key-value pairs:  Accept  Cache-control  …  BODY RESPONSE  Status dode  Version  Date  Rest as key-value pairs:  Content-type  Content-length  …  BODY
COOKIES  exist in headers as another key-value pair "with parameters"  cookies consist of  name  value  domain & path  expiration date  restrictions (security)
COOKIES SCENARIO 2. responds with cookie visited: true 1. sends request to example.org 4. sends request to example.org with visited:true cookie in headers 3. saves visited:true for example.org 5. knows that client visited this page earlier
HTTP REQUESTS AND COOKIES
WEB AUTHENTICATION  authentication system  authorize once at the beginning  use the system all the time  but http protocol is stateless!  every request is independent  how to simulate the states?  how to identify request from the specific user?
STATES SCENARIO 2. generates über-random identifier 1. sends first request to example.org 5. sends next request to example.org with UserId: QB32SDXC8 cookie in headers 4. saves UserId:QB32S… for example.org 3. sends it back in cookie UserId: QB32SDXC8
SESSION  so far: server is able to distinguish users  session: server-side bag for user data  key: previously generated identifier stored in cookie  like QB32SDXC8  value: yet another dictionary  user-specific data like name, address, etc.  security and access data like roles, privileges, etc.  forms
HACK THE SYSTEM  do we want to be an authorized user?  no! we want to act like one!  to hack the system = to "steal" someone’s session  maybe "someone” is:  facebook user – we have all his private data, photos, etc.  bank user – we know how much money he has  …  admin – we can do anything
SESSION HIJACKING  system/browser backdoor  steal the cookie from memory  xss  sidejacking  main-in-the middle  fixation  send user url with session id: http://example.org/?&sessionId=QB32SDXC8  wait for the user to log in  riding – our topic
THE ROADTO SESSION RIDING  we want to download data stored under http://example.org/admin/secret  let’s think:  authentication & authorization is based on session  session is based on cookies  cookies are being sent to example.org with every request  how about we prepare a website that sends request to the specified path?
LET’S TRYTO GET THE ADMIN’S SECRET
LET’S TRYTO GET THE ADMIN’S SECRET  what actually happened? 1. browser downloads the entire DOM tree 2. img node is being located 3. browser automatically sends GET request to download the image  but… there is no image at the end  nevertheless, browser attached all cookies dedicated to example.org <img src="http://example.org/admin/secret" />
LET’S TRYTO DO THE ADMIN’S JOB  GET shouldn’t change anything  http://example.org/admin/delete-user/?&username=admin  you’re doing itWRONG!  let’s mess up with POST / DELETE / PUT …
LET’S TRYTO DO THE ADMIN’S JOB
BUILDING THE FIREWALL  how browser works:  attacker is able to send cookies with the request …  … but is not able to see them!
ANTI-FORGERY TOKEN – HOW IT’S MADE 2. generates über-random identifier: J723SDA 1. sends request to example.org 3. sends it back inside the form and in the cookie AntiForgeryToken= J723SDA <input name="_token" type="hidden" value="J723SDA" />
ANTI-FORGERY TOKEN – HOW IT WORKS 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: J723SDA 2. validates the request: • token in cookie is present? true • token in form is present? true • do they match each other? true all true? it’s valid!
ANTI-FORGERY TOKEN – HOW IT SECURES 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: ?????????? 2. validates the request: • token in cookie is present? true • token in form is present? false • do they match each other? false all true? no! respond with 403 Forbidden
DO THE TRICK IN ASP.NET MVC
EVEN MORE SECURE  create a keyword based on:  action-specific and user-specific data  application, server, etc.  our keyword: "BARTEK"  hash the keyword: (0BDE667AA88E8832B61BF68C0D4E34A4) and split it:  0BDE667AA88E8832 goes into cookie  B61BF68C0D4E34A4 goes into form  on request, compute the keyword once again and validate the tokens
PROBLEMS  strongly relies on browser security  doesn’t work with GET requests  is it a problem in pure, REST service?  to disable cookies = to disable all communication  site vulnerable to XSS = we’re doomed
SINGLE PAGE APPS - PROBLEMS  forms are pre-generated  which form is going to be triggered next?
API WRAPPER – CLIENT SIDE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  requestSettings contains method, data, etc. ApiWrapper.prototype._SendRequest = function (requestSettings) { var self = this; requestSettings.headers["Token"] = self.Token; return $.ajax(requestSettings).always(function (arg1, textStatus, arg2) { jqXHR = (textStatus !== "success") ? arg1 : arg2; self.Token = jqXHR.getResponseHeader("Token"); document.cookie = "Token=" + self.TokenId + ";"; }); };
API WRAPPER – SERVER SIDE  keep tokens in cache/database  nosql  custom ValidateAntiForgeryTokenAttribute  validates token from cookie and header  updating token if necessary
API WRAPPER - USAGE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  return jqXHR from all functions api.Get('customers/' + customerId) .success(function (data) { self.Customer(data); }); api.Post('customers/' + customerId, editedData) .success(function () { message.ReportSuccess(); });
SEA-SURFING IN ASP.NET MVC QUESTIONS-SURFING  Fiddler: http://www.telerik.com/fiddler  Icons: http://www.visualpharm.com/ BARTOSZ LENAR bartoszlenar@gmail.com @bartoszlenar

More Related Content

PDF
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
PPTX
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
Drupaltour
 
PDF
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
David Johansson
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PDF
Json web token api authorization
Giulio De Donato
 
PDF
Spring4 security
Sang Shin
 
PPTX
How it's made - MyGet.org - AzureConf
Maarten Balliauw
 
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
DrupalTour. Ternopil — What's going on when you visit an URL (Andrij Sakhaniu...
Drupaltour
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
David Johansson
 
Building Secure User Interfaces With JWTs
robertjd
 
W3 conf hill-html5-security-realities
Brad Hill
 
Json web token api authorization
Giulio De Donato
 
Spring4 security
Sang Shin
 
How it's made - MyGet.org - AzureConf
Maarten Balliauw
 

What's hot (20)

PPTX
AZUG.BE - Azure User Group Belgium - First public meeting
Maarten Balliauw
 
PDF
AtlasCamp 2014: Connect Security
Atlassian
 
PDF
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
PPTX
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
PPT
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 
PDF
WebView security on iOS (EN)
lpilorz
 
PDF
Owasp for dummies handouts
BCC
 
PDF
Subresource Integrity
Philippe De Ryck
 
PDF
Advanced workflows for mobile web design and development
brucebowman
 
PPTX
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
PPTX
14. html 5 security considerations
Eoin Keary
 
PDF
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
PDF
From 0 to Spring Security 4.0
robwinch
 
PDF
Web application finger printing - whitepaper
Anant Shrivastava
 
PPTX
Effective SOA
Derrick Isaacson
 
PDF
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
PPTX
Preventing XSRF in ASP.NET CORE apps
Fiyaz Hasan
 
PPTX
Web fundamentals - part 1
Bozhidar Boshnakov
 
PDF
Rest Security with JAX-RS
Frank Kim
 
AZUG.BE - Azure User Group Belgium - First public meeting
Maarten Balliauw
 
AtlasCamp 2014: Connect Security
Atlassian
 
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 
WebView security on iOS (EN)
lpilorz
 
Owasp for dummies handouts
BCC
 
Subresource Integrity
Philippe De Ryck
 
Advanced workflows for mobile web design and development
brucebowman
 
Avoiding Cross Site Scripting - Not as easy as you might think
Erlend Oftedal
 
14. html 5 security considerations
Eoin Keary
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
From 0 to Spring Security 4.0
robwinch
 
Web application finger printing - whitepaper
Anant Shrivastava
 
Effective SOA
Derrick Isaacson
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Preventing XSRF in ASP.NET CORE apps
Fiyaz Hasan
 
Web fundamentals - part 1
Bozhidar Boshnakov
 
Rest Security with JAX-RS
Frank Kim
 
Ad

Viewers also liked (19)

PPSX
Zmiana pracy mariola zieba antal
magda3695
 
PDF
Continuous delivery
magda3695
 
PDF
Akamai in a hyperconnected world
magda3695
 
PDF
Abc zarządzania sobą
magda3695
 
PDF
Scala
magda3695
 
POT
Hostingowe i domenowe pułapki [97 2003]
magda3695
 
PDF
Prezentacja v2(1)
magda3695
 
PPT
Agile zrobtosam infomeet
magda3695
 
PDF
Info meet katalog kraków 8 marca
magda3695
 
PDF
Abc zarządzania sobą
magda3695
 
PDF
Szczepan Faber mockito story (1)
magda3695
 
PDF
Ibm
magda3695
 
PDF
Soft layer cloud without compromise
magda3695
 
PDF
Przychodzi baba do lekarza na badania usability
magda3695
 
PDF
Prezentacja personal branding
magda3695
 
PDF
Big data ecosystem
magda3695
 
PDF
Jakość utracona v13
magda3695
 
PDF
Szczepan.faber.gradle
magda3695
 
PDF
Patterns for organic architecture codedive
magda3695
 
Zmiana pracy mariola zieba antal
magda3695
 
Continuous delivery
magda3695
 
Akamai in a hyperconnected world
magda3695
 
Abc zarządzania sobą
magda3695
 
Scala
magda3695
 
Hostingowe i domenowe pułapki [97 2003]
magda3695
 
Prezentacja v2(1)
magda3695
 
Agile zrobtosam infomeet
magda3695
 
Info meet katalog kraków 8 marca
magda3695
 
Abc zarządzania sobą
magda3695
 
Szczepan Faber mockito story (1)
magda3695
 
Ibm
magda3695
 
Soft layer cloud without compromise
magda3695
 
Przychodzi baba do lekarza na badania usability
magda3695
 
Prezentacja personal branding
magda3695
 
Big data ecosystem
magda3695
 
Jakość utracona v13
magda3695
 
Szczepan.faber.gradle
magda3695
 
Patterns for organic architecture codedive
magda3695
 
Ad

Similar to Sea surfing in asp.net mvc (20)

PPTX
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
PDF
Ch 13: Attacking Users: Other Techniques (Part 2)
Sam Bowne
 
PPTX
CSRF
Dilan Warnakulasooriya
 
PDF
Механизмы предотвращения атак в ASP.NET Core
Positive Development User Group
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
PPT
Web 20 Security - Vordel
guest2a1135
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
PDF
Hacking Web Aplications using Cookie Poisoning
Sumutiu Marius
 
PDF
CNIT 129S Ch 7: Attacking Session Management
Sam Bowne
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PPTX
Browser Security 101
Stormpath
 
PDF
S8-Session Managment
zakieh alizadeh
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
PDF
Evolution Of Web Security
Chris Shiflett
 
PPTX
Session management
Dhruv Aggarwal
 
PDF
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
PDF
The Hacker's Guide To Session Hijacking
Patrycja Wegrzynowicz
 
PPTX
Confidence web
Dan Kaminsky
 
PPT
A privacy-preserving defense mechanism against attacks
tahucampur
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 
Ch 13: Attacking Users: Other Techniques (Part 2)
Sam Bowne
 
CSRF
Dilan Warnakulasooriya
 
Механизмы предотвращения атак в ASP.NET Core
Positive Development User Group
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
Web 20 Security - Vordel
guest2a1135
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
Hacking Web Aplications using Cookie Poisoning
Sumutiu Marius
 
CNIT 129S Ch 7: Attacking Session Management
Sam Bowne
 
JWT Authentication with AngularJS
robertjd
 
Browser Security 101
Stormpath
 
S8-Session Managment
zakieh alizadeh
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
Evolution Of Web Security
Chris Shiflett
 
Session management
Dhruv Aggarwal
 
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
The Hacker's Guide To Session Hijacking
Patrycja Wegrzynowicz
 
Confidence web
Dan Kaminsky
 
A privacy-preserving defense mechanism against attacks
tahucampur
 
Securing Web Applications with Token Authentication
Stormpath
 

More from magda3695 (13)

PPTX
Prezentacja 20141129
magda3695
 
PPTX
7
magda3695
 
PDF
Dlaczego firmy wdrażają er py info_meet kraków
magda3695
 
PDF
Systematic architect
magda3695
 
PDF
Big data today and tomorrow
magda3695
 
PDF
Info meet 8 02-2014
magda3695
 
PPTX
Ccpm jako metoda planowania i kontroli projektów
magda3695
 
PDF
Info meet pomiary wydajności
magda3695
 
PDF
A rnav infomeet
magda3695
 
PDF
Dług technologiczny czyli mały wkład w duże problemy
magda3695
 
PDF
Akamai in a hyperconnected world
magda3695
 
PPS
Antal international prezentacja_targi_it
magda3695
 
PDF
Koprowski t certyfikacja_a_kariera_it_infomeet
magda3695
 
Prezentacja 20141129
magda3695
 
7
magda3695
 
Dlaczego firmy wdrażają er py info_meet kraków
magda3695
 
Systematic architect
magda3695
 
Big data today and tomorrow
magda3695
 
Info meet 8 02-2014
magda3695
 
Ccpm jako metoda planowania i kontroli projektów
magda3695
 
Info meet pomiary wydajności
magda3695
 
A rnav infomeet
magda3695
 
Dług technologiczny czyli mały wkład w duże problemy
magda3695
 
Akamai in a hyperconnected world
magda3695
 
Antal international prezentacja_targi_it
magda3695
 
Koprowski t certyfikacja_a_kariera_it_infomeet
magda3695
 

Recently uploaded (20)

PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 

Sea surfing in asp.net mvc

  • 1. SEA-SURFING IN ASP.NET MVC BARTOSZ LENAR
  • 2. THE PLAN BASICS  http requests  authentication  cookies  session SEA-SURFING  unfixable bug  hacking the system  csrf attack  token-based defence SPA  problems  server-side layer  client-side layer
  • 4. HTTP REQUEST  Method  Version  Host  Rest as key-value pairs:  Accept  Cache-control  …  BODY RESPONSE  Status dode  Version  Date  Rest as key-value pairs:  Content-type  Content-length  …  BODY
  • 5. COOKIES  exist in headers as another key-value pair "with parameters"  cookies consist of  name  value  domain & path  expiration date  restrictions (security)
  • 6. COOKIES SCENARIO 2. responds with cookie visited: true 1. sends request to example.org 4. sends request to example.org with visited:true cookie in headers 3. saves visited:true for example.org 5. knows that client visited this page earlier
  • 8. WEB AUTHENTICATION  authentication system  authorize once at the beginning  use the system all the time  but http protocol is stateless!  every request is independent  how to simulate the states?  how to identify request from the specific user?
  • 9. STATES SCENARIO 2. generates über-random identifier 1. sends first request to example.org 5. sends next request to example.org with UserId: QB32SDXC8 cookie in headers 4. saves UserId:QB32S… for example.org 3. sends it back in cookie UserId: QB32SDXC8
  • 10. SESSION  so far: server is able to distinguish users  session: server-side bag for user data  key: previously generated identifier stored in cookie  like QB32SDXC8  value: yet another dictionary  user-specific data like name, address, etc.  security and access data like roles, privileges, etc.  forms
  • 11. HACK THE SYSTEM  do we want to be an authorized user?  no! we want to act like one!  to hack the system = to "steal" someone’s session  maybe "someone” is:  facebook user – we have all his private data, photos, etc.  bank user – we know how much money he has  …  admin – we can do anything
  • 12. SESSION HIJACKING  system/browser backdoor  steal the cookie from memory  xss  sidejacking  main-in-the middle  fixation  send user url with session id: http://example.org/?&sessionId=QB32SDXC8  wait for the user to log in  riding – our topic
  • 13. THE ROADTO SESSION RIDING  we want to download data stored under http://example.org/admin/secret  let’s think:  authentication & authorization is based on session  session is based on cookies  cookies are being sent to example.org with every request  how about we prepare a website that sends request to the specified path?
  • 14. LET’S TRYTO GET THE ADMIN’S SECRET
  • 15. LET’S TRYTO GET THE ADMIN’S SECRET  what actually happened? 1. browser downloads the entire DOM tree 2. img node is being located 3. browser automatically sends GET request to download the image  but… there is no image at the end  nevertheless, browser attached all cookies dedicated to example.org <img src="http://example.org/admin/secret" />
  • 16. LET’S TRYTO DO THE ADMIN’S JOB  GET shouldn’t change anything  http://example.org/admin/delete-user/?&username=admin  you’re doing itWRONG!  let’s mess up with POST / DELETE / PUT …
  • 17. LET’S TRYTO DO THE ADMIN’S JOB
  • 18. BUILDING THE FIREWALL  how browser works:  attacker is able to send cookies with the request …  … but is not able to see them!
  • 19. ANTI-FORGERY TOKEN – HOW IT’S MADE 2. generates über-random identifier: J723SDA 1. sends request to example.org 3. sends it back inside the form and in the cookie AntiForgeryToken= J723SDA <input name="_token" type="hidden" value="J723SDA" />
  • 20. ANTI-FORGERY TOKEN – HOW IT WORKS 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: J723SDA 2. validates the request: • token in cookie is present? true • token in form is present? true • do they match each other? true all true? it’s valid!
  • 21. ANTI-FORGERY TOKEN – HOW IT SECURES 1. sends request to example.org containing: • cookie with token: J723SDA • form value with token: ?????????? 2. validates the request: • token in cookie is present? true • token in form is present? false • do they match each other? false all true? no! respond with 403 Forbidden
  • 22. DO THE TRICK IN ASP.NET MVC
  • 23. EVEN MORE SECURE  create a keyword based on:  action-specific and user-specific data  application, server, etc.  our keyword: "BARTEK"  hash the keyword: (0BDE667AA88E8832B61BF68C0D4E34A4) and split it:  0BDE667AA88E8832 goes into cookie  B61BF68C0D4E34A4 goes into form  on request, compute the keyword once again and validate the tokens
  • 24. PROBLEMS  strongly relies on browser security  doesn’t work with GET requests  is it a problem in pure, REST service?  to disable cookies = to disable all communication  site vulnerable to XSS = we’re doomed
  • 25. SINGLE PAGE APPS - PROBLEMS  forms are pre-generated  which form is going to be triggered next?
  • 26. API WRAPPER – CLIENT SIDE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  requestSettings contains method, data, etc. ApiWrapper.prototype._SendRequest = function (requestSettings) { var self = this; requestSettings.headers["Token"] = self.Token; return $.ajax(requestSettings).always(function (arg1, textStatus, arg2) { jqXHR = (textStatus !== "success") ? arg1 : arg2; self.Token = jqXHR.getResponseHeader("Token"); document.cookie = "Token=" + self.TokenId + ";"; }); };
  • 27. API WRAPPER – SERVER SIDE  keep tokens in cache/database  nosql  custom ValidateAntiForgeryTokenAttribute  validates token from cookie and header  updating token if necessary
  • 28. API WRAPPER - USAGE  write wrapper for all ajax communication (GET, POST, PUT, DELETE)  return jqXHR from all functions api.Get('customers/' + customerId) .success(function (data) { self.Customer(data); }); api.Post('customers/' + customerId, editedData) .success(function () { message.ReportSuccess(); });
  • 29. SEA-SURFING IN ASP.NET MVC QUESTIONS-SURFING  Fiddler: http://www.telerik.com/fiddler  Icons: http://www.visualpharm.com/ BARTOSZ LENAR bartoszlenar@gmail.com @bartoszlenar