Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I understand that the AntiForgeryToken feature in ASP.NET MVC does prevent cross-site attacks.
However, does it prevent from changing form values before POST?
For example, a malicious attacker may find out that the rating page always contains a hidden field contaning the rated entity ID and create POST requests to artificially rate all his own entities high.
What is the preferred way to ensure that the form values between a GET and a POST have not been changed?
AntiForgeryToken prevents a malicious site to trick a user to a form that looks the same as the original and post it to the original site. It does not prevent the scenario you are describing. Here’s how an attacker could proceed in order to circumvent the token:
As you can see the only difference to as if you haven’t used AntiForgeryToken is that the hacker needs to send an additional GET request to read the value of the token.
There’s absolutely no way to prevent an attacker from modifying the value of a hidden field other than verifying that the user who submitted the form (I suppose that in order to vote the user has to be authenticated) is not the owner of the entity ID he is voting for.