Home/ Questions/Q 6718425
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T08:58:04+00:00

@using (Html.BeginForm(Index, Checkout, FormMethod.Post)) { @Html.AntiForgeryToken(App.WebUI.Helpers.SecurityHelpers.AntiforgeryTokenSalt) <input type=hidden name=amount value=@Model.PackageCost/> <input type=hidden name=currency value=$/>

  • 0
@using (Html.BeginForm("Index", "Checkout", FormMethod.Post))
{   
    @Html.AntiForgeryToken(App.WebUI.Helpers.SecurityHelpers.AntiforgeryTokenSalt)
    <input type="hidden" name="amount" value="@Model.PackageCost"/>
    <input type="hidden" name="currency" value="$"/>
    <input type="hidden" name="itemdescription" value="@Model.PackageDescriptor"/>
    <input type="hidden" name="type" value="digital"/>

    <input type="submit" value="Confirmar" class="btn primary frmsubmit" />
}

I’m POSTing this form to the Checkout controller:

public class CheckoutController : Controller
{
    [HttpPost]
    [ValidateAntiForgeryToken(Salt = SecurityHelpers.AntiforgeryTokenSalt)]
    public ActionResult Index(decimal amount, string currency, string itemDescription, string type)
    { 
        //Magic here.

Both the salt in the Form, and in the Controller are the same.

public static class SecurityHelpers
{
    public const string AntiforgeryTokenSalt = "tokenFooYouTolkienBladeRunner";
}

I’m under the impression that this would prevent a user from changing a hidden value in the form using Firebug and submitting that. ie. Buying a TV for 2$.

Yet, I can change the values using Firebug and submit it, and it goes through fine.

What am I missing here?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are missing the entire point of the anti forgery token. It’s meant to block CSRF attacks, not a user changing form data on your own site. Besides, you shouldn’t be retrieving the price of an item from form data unless you intend to allow it to be provided by the customer.

    • 0