Posted on May 14, 2009 13:04 by swilliams

Just prior to their 1.0 release, the ASP.NET MVC dev team added a nice feature to prevent CSRF attacks, the AntiForgeryToken. In brief, a CSRF attack is when a 3rd party gets one of your users to accidentally run a malicious script that accesses normally restricted URLs. The AntiForgeryToken pattern allows the web server to reject requests that come from places it was not expecting. More details can be found here. If you are a web developer and aren’t familiar with CSRF attacks, you need to fix that.

Anyways, the AntiForgeryToken bit is all well and good, but what if you are using jQuery (or another library) to handle your AJAX calls? Say you have an Action method like this:

[AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken]
public ActionResult DeleteAccount(int accountId) {
    // delete stuff
}

And you call it via:

$.post('/home/DeleteAccount', { accountId: 1000 }, function() {
    alert('Account Deleted.');
});

Since the POST does not include the AntiForgeryToken, it will fail.

Fortunately, it doesn’t take much brainpower to fix this. All the client side component of AntiForgeryToken does is put the token in a basic hidden field. So, you just need to pull that data out and include it in your AJAX call.

var token = $('input[name=__RequestVerificationToken]').val();

$.post('/home/DeleteAccount', { accountId: 1000, '__RequestVerificationToken': token }, function() {
    alert('Account Deleted.');
});

Do note that if you have multiple forms on the page with multiple AntiForgeryTokens, you will have to specify which one you want in your jQuery selector. Another gotcha is if you are using jQuery’s serializeArray() function, you’ll have to add it a bit differently:

var formData = $('#myForm').serializeArray();
var token = $('input[name=__RequestVerificationToken]').val();
formData.push({ name: '__RequestVerificationToken', value: token });

$.post('/home/DeleteAccount', formData, function() {
    alert('Account Deleted.');
});

Again, if you are making a web site that has any sort of interactivity at all, you need to be aware of these kinds of attacks. The tools to prevent them are readily available for you to use.

Be the first to rate this post

Currently 0/5 Stars.
1
2
3
4
5

Comments

August 23. 2009 10:31

Thanks for providing valuable information on the topic. Keep posting

Transfer of Equity

September 8. 2009 03:15

Thanks for providing valuable information on the topic. Keep posting

Online High School

September 8. 2009 03:15

interactivity at all, you need to be aware of these kinds of attacks. The tools to prevent them are readily available for you to use.

GED Online

September 8. 2009 03:15

the topic. Keep posting

home school curriculum

September 8. 2009 03:16

thanks for info

affordable education

September 8. 2009 03:16

. Keep posting

diploma

September 10. 2009 05:47

Do you know how to treat ED in women?

sildenafil for women

September 30. 2009 09:35

i like

Tiffany Necklaces

October 9. 2009 04:27

Great post, thanks.

online games

October 13. 2009 06:41

art is a lie that tells the truth ugg classic cardy. Humor has been well defined as ugg calssic thinking in fun while feeling in earnest.The decline of literature indicates the decline of a ugg sale online nation ; the two ugg bailey button keep in their ugg classic min downward tendency. http://www.olugg.com/

ugg boots sale

October 13. 2009 06:43

<a href="http://www.ggaol.com/">unlock nokia mobile</a> it is better to waste one's youth than to do noting <A href="www.ggaol.com/...a-mobiles-c-4.html">nokia mobiles</A> with it at all. One <a href="http://www.ggaol.com/specials.html">nokia sirocco</a> thing I know.If a jewel falls into the <A href="www.ggaol.com/...eadphones-c-10.html">bose headphones</A> mire, it remains as precious as before; and though dust should ascend to <a href="http://www.ggaol.com/">buy cheap nokia 8800</a> heaven, its former worthlessness will not altered.

nokia mobiles

October 18. 2009 19:08

You can't step twice into the same ugg boots river, for other ugg classic cardy waters are continually flowing in. In the ugg bailey button long run men hit only what they aim at ugg lo pro button. High expectations are the key to every UGG Knightsbridge thing. If you wait, all that happens is that you get older. http://www.ladiesugg.com/

Ugg Sale

October 19. 2009 09:23

a wise luxury handbags on sale man never loses anything if he has chanel handbangs himself.a great jimmy choo handbags man is always willing to be little. Death is the only bottega veneta pure, beautiful conclusion of a great cheap handbags passion.When the fight begins within himself, a man's worth something. http://www.supershandbag.com/

supershandbag

October 19. 2009 09:23

supershandbag

October 19. 2009 21:52

The ugg knightsbridge world is a comedy to those who thinks, a tragedy to those ugg classic cardy who feels.Look not mournfully into the ugg boots past, it comes not back again. Wisely improve the present, it is ugg lo pro button thine. Go forth to meet the shadowy future, without fear, and with a manly ugg bailey button heart. http://www.ugg2you.com/specials.html

Cheap Uggs

October 19. 2009 22:40

Cheap Uggs

October 20. 2009 08:22

It is really good and useful posting. Thanks for sharing.

Miami Web Design

October 20. 2009 08:30

Thanks for the link regarding CSRF attacks. The article is written in an understandable way and really helped me to fix the lag of understanding.
www.kreditrechner-4u.de/.../...itaetenrechner.aspx

LED Lichterketten

October 21. 2009 15:51

Art is a lie that tells the truth ugg knightsbridge. Humor has been well defined as ugg lo pro button thinking in fun while feeling in earnest.The decline of literature indicates the decline of an ugg boots nation ; the two ugg bailey button keep in their uggs boots downward tendency.
http://www.olugg.com/

UGG Boots All On Sale

October 21. 2009 23:53

An ugg lo pro button man is not made for defeat.An ugg bailey button man can be destroyed but not defeated.No rational man can die without ugg boots uneasy apprehension.Better ugg knightsbridge be unborn than untaught,for ignorance is the root of misfortune.Genius17 without education is like silver in the uggs boots mine. http://www.ugg2you.com/specials.html

Uggs,Cheap Uggs

October 22. 2009 08:51

Simpy,i like it.Nice post.

Swing Sets

October 22. 2009 10:49

An ugg bailey button better be unborn than untaught,for ignorance is the root of misfortune.Genius17 withoutugg knightsbridge education is like silver in the mine. ugg boots man is not made for defeat. an uggs boots man can be destroyed but not defeated.No rational man can die without ugg lo pro button? uneasy apprehension.
http://www.love-ugg.com/

Ugg Boots On Sale

October 23. 2009 01:57

The decline of literature indicates the decline of a ugg sale online nation ; the two ugg bailey button keep in their ugg classic min downward tendency.

Puppies for sale

October 26. 2009 13:40

Thanks a ton for the wonderful update.

<a href="http://www.thefilmwall.com/index/"> Watch Movies Online</a>

Mitsh

October 28. 2009 11:33

Thanks for providing valuable information on the topic. Keep posting

club penguin cheats

October 29. 2009 15:56

I am very new to programming. AJAX is also being used in wordpress. I want to make a wordpress plugin i have the code but could not develop the plugin could anyone help here.

Concrete Garages

October 30. 2009 07:44

@ Miami Web Design:

Yah agree with you. Great work man. Keep it up.

Concrete Garages

October 30. 2009 07:46

Great work. Thanks for sharing such a valuable information with us thanks and regards

Cosmetic dentists Palm beach

November 3. 2009 16:55

UGG boots is the best choice for the winter. You give warmth to me----Ugg Snow Boots, Ugg wool boots. We offer Australia Ugg Boots, Ugg Snow Boots, Sheepkin boots, Fashion Boots. Top quality, Affordable.
Welcome to our website: http://www.uggsnowbootsbest.com/

cheap ugg boots

February 20. 2010 06:03

The RSS feed on your site won't work with my browser (Google Chrome) how can I fix it?

Catrice Basilio

February 20. 2010 11:59

One has to think through it before coming to a conclusion on about it,beautiful site I like the header.

How To Get A Girl

February 20. 2010 20:48

Interesting posts. I favorited your page. I'm looking for quality pages that have an audience that would find value from a new page I maintain on akita dogs. Let me know if you want to exchange some posts or content. I think we would both benefit.

Akita Dog Training

February 20. 2010 23:28

I typically utilize a command line tool such as curl to break down a web site link. Were you not afraid that in those sixty seconds the website may have tried a zero-day exploit against your browser and dump some malware to your pc? Or did you utilize a virtual machine you then burned-out?

Racquel Bulick

February 21. 2010 00:47

Where is your feed link? I like your posts and I'm trying to get them to show up in Google reader.

affordable website

February 21. 2010 06:20

Such a nice post! Thank you for sharing this great article...

Mature Phone Sex

February 21. 2010 16:40

Aw, this was a really quality post. In theory I'd like to write like this too - taking time and real effort to make a good article... but what can I say... I procrastinate alot and never seem to get something done.

how to earn extra money

March 5. 2010 06:42

I enjoy streaming movies online, it is way cheaper than going to the theaters.

hd movies

March 5. 2010 07:39

Best of luck with the blog, I enjoyed finding your post today.

Hiroko Mctague

March 5. 2010 12:31

I enjoy watching movies online, it is way easier than going to the theaters.

hd movies

March 5. 2010 14:41

I admire what you have done here. I like the part where you say you are doing this to give back but I would assume by all the comments that this is working for you as well.

jasminlive

March 5. 2010 15:06

Wow!, this was a real quality post. In theory I'd like to write like this too - taking time and real effort to make a good article... but what can I say... I keep putting it off and never seem to achieve anything

ELC

March 5. 2010 16:36

I have been searching for this, but it wasn't on the same page in bing as it was yesterday when I first saw it. Anyway, thank God for search history!

Matthew Katcsmorak

March 5. 2010 16:56

Pretty nice post. I just stopped by by your website and wanted to say that I have truly enjoyed browsing your articles. Any way, I’ll be subscribing to your feed and I'm hoping you post again soon!

Marian Smith

March 5. 2010 17:28

I appreciate the effort, and I think the writer definately knows their stuff... has better details than the wiki on the subject!

Mireya Ibrahim

March 5. 2010 23:23

Mothers day flowers

March 6. 2010 06:05

Is tethering against the Terms of Service of mobile phone providers? Which ones allow it?

Refer 3 Get Yours Free

March 6. 2010 07:51

commercial roofing concord

March 6. 2010 08:01

Wow! what an idea ! just how people come with these ideas ! Beautiful .. Amazing …

getting pregnant ovulation

March 6. 2010 08:19

This Post was full of great info , from where you get this info . Must be a hard work to find it.

Age Beauty

March 6. 2010 08:20

This Post was full of great info , from where you get this info . Must be a hard work to find it.

Age Beauty

March 6. 2010 08:28

This is certainly my initial stop by and I really like what I'm seeing. Your weblog is so much fun to look over, quite compelling as well as informative. I'll undoubtedly recommend it to my friends. Nevertheless, I did have some problem with the commenting. It kept giving me an problem whenever I clicked on publish comment. I hope, that can be fixed. Many thanks

Morgan Guyett

March 6. 2010 08:56

Thanks for taking this opportunity to talk about this, I feel strongly about it and I benefit from learning about this subject. If possible, as you gain data, please update this blog with new information. I have found it extremely useful.

moon in my room

March 6. 2010 10:20

Thanks for a useful post. Btw Love the site design

Abel Rouisse

March 6. 2010 16:34

Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me.

ELC

March 6. 2010 21:50

Well said! - I looked at the Wiki on this and it did not have as detailed info - thanks!

mens health fitness

March 6. 2010 21:52

I bookmarked this page before and just came back to it ... well put and I will definately be forwarding this once I get to my home PC ...

mens health

March 6. 2010 22:09

Have you ever considered adding more videos to your blog posts to keep the readers more entertained? I mean I just read through the entire article of yours and it was quite good but since I'm more of a visual learner,I found that to be more helpful well let me know how it turns out! Big thanks for the useful info i found on MVC – Using AntiForgeryToken over AJAX.

teeth whitening

March 7. 2010 09:43

Great Post. I would love to read more in future. keep up the good work. Yearly hosting http://www.intelweb.biz

Peter

March 7. 2010 09:46

Substantially, the post is actually the greatest on this notable topic. I fit in with your conclusions and will eagerly look forward to your forthcoming updates. Saying thanks will not just be enough, for the tremendous clarity in your writing. I will at once grab your rss feed to stay privy of any updates. Genuine work and much success in your business enterprize!

indoor plant seeds

March 7. 2010 11:42

Wow. just searched google and found exactly what i was looking for great post.

Gift Vouchers & Coupons

March 8. 2010 11:12

moon in my room

March 8. 2010 15:19

Really good blog, I can see you really have put a lot of work into making this a really good read. Some really good posts, shows you have put a lot of time and effort in to it for your readers. Keep up the great posting.

vistabay rehab

March 8. 2010 21:53

For what it is worth there seems to be a lot of comments regarding online pharmacies and "buy viagra" etc. I hope most people know these links are not just SPAM but SCAM. So I will do my part and post a link to this article <A href="www.articleblast.com/.../Guide_to_Online_Pharmacies_-_Don%27t_get_scammed/">"Guide to Online Pharmacies - Don't get scammed"</A> - from a guy at articleblast.com - really good advice on what to avoid and how to spot the scammers - the majority.I do in fact actually read and like this blog, but wanted to do my part for internet education. This is not spam, I hope the mod checks the link to see so... Have a good day and thank you for the informative articles.

buy generic sildenafil

March 8. 2010 22:17

Outstanding website, I really found it to be great. I'm looking forward to visiting once again to see what is brand new.

JP Mortgage

March 8. 2010 22:36

Ola.Hi.Sorry if my english language isn't very good.however i intend to tell that i like this post a lot.Thanxxx

watch the pacific online

March 9. 2010 15:20

Teenage Driver: But, officer, Im a college man.Policeman: Sorry, but ignorance is no excuse.

George McDuffie

March 9. 2010 15:44

found your site on bookmarkingservice today and really liked it. i bookmarked it too and will be back to check it out some more later ..

kartenlegen per mail

March 10. 2010 00:23

Substantially, the post is actually the greatest on this valuable topic. I agree with your conclusions and will thirstily look forward to your forthcoming updates. Saying thanks will not just be adequate, for the great lucidity in your writing. I will right away grab your rss feed to stay informed of any updates. Admirable work and much success in your business dealings!

real female orgasm

March 10. 2010 06:45

hey, I found this site from yahoo and read a few of your other articles. They are nice. Please continue this great work!!! Best regards, Hector.

free online games

Add comment

Name*
E-mail*
Website
Comment* [b][/b] - [i][/i] - [u][/u]- [quote][/quote]

Notify me when new comments are added

Live preview

March 10. 2010 10:01

Sogeti Phoenix Blogs

Search

Authors

Tags

Categories

Archive

MVC – Using AntiForgeryToken over AJAX

Related posts

Comments

Add comment

Live preview