Adding @Html.AntiForgeryToken() to a view does following
And then you can add attribute ValidateAntiForgeryToken to the HttpPost action which will validate __RequestVerificationToken between cookie and posted hidden input value. This helps defend against cross-site request forgery. If any of the values are missing or the values does not match (it has some encryption logic so if you try to compare, the value it will not looksame), it will throw HttpAntiForgeryException.
With the absence of attribute ValidateAntiForgeryToken, your site can be easily prone to csrf. Refer to following for a quick way to create this condition
<body>
<form name="badform" method="post" action="http://localhost/product-ui/Product/Create">
<input type="hidden" name="sku" value="1234" />
<input type="hidden" name="overview" value="something...." />
</form>
<script type="text/javascript">
document.badform.submit();
</script>
</body>
sets __RequestVerificationToken Cookie add hidden input __RequestVerificationToken to the page
And then you can add attribute ValidateAntiForgeryToken to the HttpPost action which will validate __RequestVerificationToken between cookie and posted hidden input value. This helps defend against cross-site request forgery. If any of the values are missing or the values does not match (it has some encryption logic so if you try to compare, the value it will not looksame), it will throw HttpAntiForgeryException.
With the absence of attribute ValidateAntiForgeryToken, your site can be easily prone to csrf. Refer to following for a quick way to create this condition
<body>
<form name="badform" method="post" action="http://localhost/product-ui/Product/Create">
<input type="hidden" name="sku" value="1234" />
<input type="hidden" name="overview" value="something...." />
</form>
<script type="text/javascript">
document.badform.submit();
</script>
</body>
I was just imagine about it and you provided me the correct information I really bookmark it, for further reading. But it would be great if you provide more details about it.I am sharing my information such as .
ReplyDeleteWireless portable Bluetooth speaker