We’ve just had some Penetration Testing carried out on an application we’ve built using

Question

0

Asked: May 14, 20262026-05-14T09:00:11+00:00 2026-05-14T09:00:11+00:00

We’ve just had some Penetration Testing carried out on an application we’ve built using

0

We’ve just had some Penetration Testing carried out on an application we’ve built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use.

According to the OWASP recommendations around the Synchronizer Token Pattern:

“In general, developers need only generate this token once for the current session.”

Which is how I think the ASP.NET MVC AntiForgeryToken works.

In case we have to fight the battle, is it possible to cause the AntiForgeryToken to regenerate a new value after each validation?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-14T09:00:12+00:00

Editorial Team

2026-05-14T09:00:12+00:00Added an answer on May 14, 2026 at 9:00 am

The anti-forgery token is just an anti-XSRF token. In particular, it is not a single-use nonce. If you need a single-use nonce for your application, you cannot use the anti-forgery token for this purpose. There is no built-in functionality for this.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

We’ve just had some Penetration Testing carried out on an application we’ve built using

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply