Should I use AntiForgeryToken in all forms, even login and registration?

Yes, it is important to include anti-forgery tokens for login pages.

Why? Because of the potential for "login CSRF" attacks. In a login CSRF attack, the attacker logs the victim into the target site with the attacker's account. Consider, for instance, an attack on Alice, who is a user of Paypal, by an evil attacker Evelyn. If Paypal didn't protect its login pages from CSRF attacks (e.g., with an anti-forgery token), then the attacker can silently log Alice's browser into Evelyn's account on Paypal. Alice gets taken to the Paypal web site, and Alice is logged in, but logged in as Evelyn. Suppose Alice then clicks on the page to link her credit card to her Paypal account, and enters her credit card number. Alice thinks she is linking her credit card to her Paypal account, but actually she has linked it to Evelyn's account. Now Evelyn can buy stuff, and have it charged to Alice's credit card. Oops. This is subtle and a bit obscure, but serious enough that you should include anti-forgery tokens for the form action target used to log in. See this paper for more details and some real-world examples of such vulnerabilities.

When is it OK to leave off the anti-forgery token? In general, if the target is a URL, and accessing that URL has no side effects, then you don't need to include anti-forgery token in that URL.

The rough rule of thumb is: include an anti-forgery token in all POST requests, but you don't need it for GET requests. However, this rough rule of thumb is a very crude approximation. It makes the assumption that GET requests will all be side-effect-free. In a well-designed web application, that should hopefully be the case, but in practice, sometimes web application designers don't follow that guideline and implement GET handlers that have a side effect (this is a bad idea, but it's not uncommon). That's why I suggest a guideline based upon whether the request will have a side effect to the state of the web application or not, instead of based on GET vs POST.


Where it could be necessary to have the token on a login page is when you need to prevent someone from maliciously logging you into the site with particular credentials. I can see this being the case if someone is being framed for something that requires logging in with a particlar user. With that being said, its a bit of a contrived example.

Tags:

Asp.Net

Asp.Net Mvc

Csrf

Web Application

Appsec

Related

What chars should I not allow in passwords? Is PBKDF2-based System.Cryptology.RFC2898DeriveBytes() "better" for Unicode Password hashing than traditional methods? Problems with avoiding JSON hijacking with MVC3's AntiForgeryToken, or similar token validation How long should a random nonce be? Whats the difference between MAC vs hash What a programmer should know before their web service's client audit Why should one not use the same asymmetric key for encryption as they do for signing? How is PowerShell's RemoteSigned execution policy different from AllSigned? I see entry level security skills as a problem for industry - what can we do about it? How can I enumerate all the saved RSA keys in the Microsoft CSP? How does RSA encryption compare to PGP? Where to report malicious URLs, phishing, and malicious web sites?

Recent Posts