what is the use of anti-forgery token salt?

Asked 10/9, 2009 at 0:4 Answered 10/9, 2009 at 0:17

Solved asp.net-mvc security csrf session-fixation

In ASP.NET MVC 1.0, there is a new feature for handling cross site request forgery security problem:

 <%= Html.AntiForgeryToken() %>
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
    // ... etc
}

I found the token generated in html form keep changing every time a new form is rendered.

I want to know how these token is generated? And when use some software to scan this site, it will report another security problem: Session fixed. Why? Since the token keep changed, how can this problem come ?

And there is another function, that is "salt" for the antiForgeryToken, but I really know what this used for, even through we don't use "salt" to generate the token, the token will changes all the time, so why have such function?

Seda answered 10/9, 2009 at 0:4 Comment(0)

Lots of info on the AntiForgeryToken here: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

This is to prevent a Cross-Site Request Forgery (CSRF). It's pretty standard behavior to click 'Save' sumbit a form and perform some action on the server, i.e. save a user's details. How do you know the user submitting the form is the user they claim to be? In most cases you'd use some cookie or windows based auth.

What if an attacker lures you to a site which submits exactly the same form in a little hidden IFRAME? Your cookies get submitted intact and the server doesn't see the request as any different to a legit request. (As gmail has discovered: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/)

The anti-forgery token prevents this form of attack by creating a additional cookie token everytime a page is generated. The token is both in the form and the cookie, if the form and cookie don't match we have a CSRF attack (as the attacker wouldn't be able to read the anti-forgery token using the attack described above).

And what does the salt do, from the article above:

Salt is just an arbitrary string. A different salt value means a different anti-forgery token will be generated. This means that even if an attacker manages to get hold of a valid token somehow, they can’t reuse it in other parts of the application where a different salt value is required.

Update: How is the token generated? Download the source, and have a look at the AntiForgeryDataSerializer, AntiForgeryData classes.

Emotionality answered 10/9, 2009 at 0:17 Comment(5)

Actually I know all of this, did you see my problem ? I come from the blog just now. – Seda 10/9, 2009 at 0:19

Which problem "Session fixed", or the question about "salt"? "Session fixed" I'm not familiar with, what are you using to scan the site? – Emotionality 10/9, 2009 at 0:22

thanks, russau, but i just don't agree on the blog post, then i ask a question here.... – Seda 10/9, 2009 at 2:14

i've updated my answer with a link to the source.. I had a quick read thru it but couldn't immediately work out exactly how they are creating the token. – Emotionality 10/9, 2009 at 4:59

I don't think the cookie token is generated every page load, rather for every new user session. – Madeira 3/12, 2012 at 15:6

You've ask a few unrelated problems:

I don't know why your security software is reporting 'session fixed'. Try reading the documentation that comes with the report
The anti-forgery token:

This is used (presumably) to validate that each request is valid. So consider that someone tries to present a link to the page ?x=1, if the token is not also passed, the request will be rejected. Further, it (may) prevent duplicate posting of the same item. If you click 'post' twice, the token will likely change (each request), and this case will be detected via something like:

Session["nextToken"] = token;
WriteToken(token);

...

if( !Request["nextToken"] == Session["nextToken"] ){
    ...
}

// note: order in code is slightly different, you must take the token
// before regenerating it, obviously

I think the term for this (the attack it protects) is called "CSRF" (Cross-Site Request Forgery), these days.

Burtburta answered 10/9, 2009 at 0:11 Comment(5)

but why someone said that the token is related to SessionID? – Seda 10/9, 2009 at 0:15

MemoryLeak: I don't know, I haven't used ASP.NET MVC specifically, I was answering generally as to the purposes of a request token. Hopefully someone can clear that up for you. – Burtburta 10/9, 2009 at 0:16

salt is used to generate the token (so that it is random and not predictable). – Burtburta 10/9, 2009 at 0:19

but even i didn't use token, it is random too. That's my problem – Seda 10/9, 2009 at 0:19

MemoryLeak: I think I'll let someone else answer; clearly it's not good for me to try and help you in something I don't know about :P – Burtburta 10/9, 2009 at 0:23

Recommended topics

Hot tags