I read a couple of articles about using antiforgery token in forms to prevent CSRF attacks. I understand that an attacker can create http request get or post to these forms using the credentials of someone clicking on a link, an image or anything else.
Is there any advantages using an antiforgery token in a logon form? Considering that the attacker want to submit information to an html form that required to be authenticated, what would be useful for this attacker to target the logon page if it’s the entry point to be authenticated?
Note that I’m using Asp.Net MVC 4.
Thank you.
Putting an anti-forgery token on the login page can help mitigate login CSRF. In short, the attacker tricks the victim into logging in using the attacker’s credentials, and any changes the victim makes to the account (such as typing in credit card information) can then be viewed by the attacker.