ASP.NET MVC - CSRF on a GET request

后端 未结 2 717
面向向阳花
面向向阳花 2021-02-13 12:35

We have a ASP.NET MVC application. All the POST requests (form submits) have been protected from CSRF by using @Html.AntiForgeryToken and ValidateAntiForgery

2条回答
  •  失恋的感觉
    2021-02-13 13:22

    Ordinarily safe methods do not have to be protected against CSRF because they do not make changes to the application, and even if they're returning sensitive information this will be protected by the Same Origin Policy in the browser.

    If your site is implemented as per standards, your GET requests should be safe and therefore do not need protection.

    However, there is a specific case where a "Cross-Site DoS"* attack could be executed. Say your reporting page takes 10 seconds to execute, with 100% CPU usage on your database server, and 80% CPU usage on your web server.

    Users of your website know never to go to https:///Analysis/GetReport during office hours because it kills the server and gives other uses a bad user experience.

    However, Chuck wants to knock your website offline because he doesn't like you or your company.

    On the busy forum he posts to often, http://forum.walkertexasranger.example.com, he sets his signature to the following:

    
    

    He also knows that your company employees frequent the forum, often while also logged into yoursite.example.org.

    Every time one of Chuck's posts are read by your employees, authentication cookies are sent to https://yoursite.example.org/Analysis/GetReport, so your site processes the request and generates the report, and your system goes offline because CPU is eaten by these constant requests.

    So even though the request is a GET request and doesn't make any permanent changes to your system (aka "safe"), it is infact bringing down your system every time it is ran. Therefore, it would be better to protect this with some CSRF prevention methods. The easiest way would be to convert this so that the report can only be generated via a POST request and therefore the request can be validated via the AntiForgeryToken.

    *XSDoS, or Cross-Site Denial of Service, is a phrase coined by me, so don't go Googling for it.

提交回复
热议问题