Skip to main content

Controller method is vulnerable to CSRF

Back to rules list


The annotation [ValidateAntiForgeryToken] is missing.

Risk

A malicious user could send a link to the victim. By visiting the malicious link, a web page would trigger a POST request to the website. The victim would not be able to acknowledge that an action is made in the background. This attack does not require special interaction other than visiting a website.

Vulnerable Code

public class TestController
{
    [HttpPost]
    public ActionResult ControllerMethod(string input) {
        //Do a action in the context of the logged in user
    }
}

Solution

public class TestController
{
    [HttpPost]
    [ValidateAntiForgeryToken] //Annotation added
    public ActionResult ControllerMethod(string input) {
        //Do something..
    }
}

References

OWASP: Cross-Site Request Forgery
OWASP: CSRF Prevention Cheat Sheet