Base solution for your next web application
Open Closed

AbpAutoValidateAntiforgeryTokenAttribute -- working ? #10173


User avatar
0
Romka created
  • v10.2.0
  • Angular
  • net5.0
  • latest ABP Framework version

Hello,

we are currently working on our security vulnerabilities, with static analysis.

We wanted to check our application against CSRF ; but it does not seem to work.

=> we do have the following in the startup.cs :

services.AddControllersWithViews(options =>
            {
                options.Filters.Add(new AbpAutoValidateAntiforgeryTokenAttribute());
            }).AddNewtonsoftJson();

=> but if I open Chrome's devtools, then for instance upload a file in the chat (backend method 'UploadFile' is living in the "ChatControllerBase" class, Web.Core project), then check network tab in devtools, check request headers : no "X-CSRF-TOKEN', neither 'RequestVerificationToken".

I checked the following link : https://docs.abp.io/en/abp/3.3/CSRF-Anti-Forgery

I don't know what to try further.


8 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @Romka

    Angular version doesn't use anti forgery. Instead, it uses CORS, so only the allowed apps can make request to your server app.

  • User Avatar
    0
    Romka created

    Hello,

    so why is there the code to configure AbpAutoValidateAntiforgeryTokenAttribute in startup.cs ? And, why in the doc : https://docs.abp.io/en/abp/3.3/CSRF-Anti-Forgery there is a chapter about Angular, stating that "Since ABP Framework follows the ASP.NET Core conventions, it changes this value to RequestVerificationToken in the core package" ? I don't understand.

    CORS is a different thing ; if an attacker forges a link to, say, "myapp/grant-permission-touser?userid=xxx", then send that by email, CORS are totally off topic there.

  • User Avatar
    0
    alper created
    Support Team

    A CSRF attack can be implemented in 2 ways

    1- session persistence (if the application uses Cookies) 2- relaxed origin policies (CORS) (if the host is allowed to get requests from any client)

    In ASP.NET Zero Angular applications, cookie is not being used so you are not affected "session persistence". (it uses HTTP WebAPIs) On the other hand if you are hosting your host and angular client in different domains and allowed to get request from any client then, yes you may be effected. But this is a misconfiguration issue apart from the framework itself.

  • User Avatar
    0
    Romka created

    Thanks for your response,

    ok I got what you say, no problem.

    But I still wonder why, in this case, the AspnetZero template adds the AbpAutoValidateAntiforgeryTokenAttribute in startup.cs ? https://aspnetboilerplate.com/Pages/Documents/XSRF-CSRF-Protection#integration-2

    In ASP.NET Zero Angular applications, cookie is not being used

    I do see a cookie for the application (and I have the "cookie consent" widget)

  • User Avatar
    0
    alper created
    Support Team

    that's for MVC templates, I guess you can safetly remove that filter. cookie consent widget is a standard widget that comes in all templates, because some users add extra cookies for their angular client. but be aware that these cookies will not send to host because in Angular, we do AJAX request (which is a custom request). CSRF is related with requests that browser sends by clicking a button, submitting a form. In Angular we are not using the request communication that way. Also you don't need to make penetration test for your Angular client. Penetration tests are mostly done for the server-side.

  • User Avatar
    0
    Romka created

    Sorry, but :

    • I login to my application
    • I open devtools
    • I clear cookies
    • I hit F5 : I'm disconnected.
  • User Avatar
    0
    alper created
    Support Team

    I know that there's a cookie but it's not being used natively by browser. Angular client creates a custom AJAX request and passes the value from cookie to the request header. Therefore CSRF steps are not applied. Browser must send the cookie natively to make a CSRF attack. The attacker website cannot reach your HTTP flagged cookie and read the values. I hope it's clear.

  • User Avatar
    0
    Romka created

    Ok I think I understand. Thanks for these explainations ; it was really confusing because of the code with AbpAutoValidateAntiforgeryTokenAttribute in startup.cs and the boilerplate documentation.