C#•4y ago

❔ Antiforgery token validation in API's

Antiforgery tokens are for preventing cross-site request forgery. Does that mean all sensitive API's should validate the token?

I haven't got into authentication and authorization in asp net core yet, should I learn that first and then I would become clear?

I mean, I have a razor page + api controllers app, and I was planning to use api controllers for all api-related things, so no form post request handling in the razor code. So I wonder is the authentication strategies used in the two approaches are completely different. I mean, razor pages would most likely use cookies on the client side to manage the sensitive user authentication information, while API's used in their pure form would just have a plain token, both I imagine would end up in the HTTP headers, so should they be validated in the same way? Should pure API's be trusted more? And then, isn't it possible to dynamically determine the authentication scheme, to use the same API endpoint for both sources of requests?

Again, this might become clear to me if I read some more material, however it's still vague to me for now.

Callum•11/24/22, 10:14 PM

I think most people just use CORS to prevent that attack.

Callum•11/24/22, 10:14 PM

So that you can only make requests to your secured API from a subset of domains thus you can't direct someone to a malicious site, authenticate & steal their auth credentials

AntonOP•11/24/22, 10:16 PM

So I can expect there to be no plausible way for an attacker to spoof the origin domain?

Callum•11/24/22, 10:16 PM

Well if you use a HTTPS secured site, typically you can ensure the site signature also matches. Though truthfully if they have access to the machine they can steal keystrokes or steal your password or even control your machine

Callum•11/24/22, 10:16 PM

By which point i consider that game over

CCallum I think most people just use CORS to prevent that attack.

AntonOP•11/24/22, 10:17 PM

But well this would make the API internal

AntonOP•11/24/22, 10:17 PM

which I don't want

Callum•11/24/22, 10:17 PM

The host file exists so you could rewrite google.com to point at localhost and given a convincing enough attack you may even enter in your username & password, but on the general internet assuming they can't access your machine

Callum•11/24/22, 10:17 PM

You say your API can only be accessed by site foo.com

Callum•11/24/22, 10:18 PM

Unless what you want is a public facing API that you also authenticate against yourself?

CCallum You say your API can only be accessed by site foo.com

AntonOP•11/24/22, 10:19 PM

yeah you're right

CCallum Unless what you want is a public facing API that you also authenticate against y...

AntonOP•11/24/22, 10:19 PM

i don't know what this means

Callum•11/24/22, 10:19 PM

public: i.e: everyone can access

Callum•11/24/22, 10:20 PM

At work I authenticate against company databases so we prevent this attack by hosting the api as a subdirectory of our application by going /api/

AntonOP•11/24/22, 10:20 PM

no they would have to be authenticated

Callum•11/24/22, 10:20 PM

Yeah then i think i'm correct

CCallum public: i.e: everyone can access

AntonOP•11/24/22, 10:21 PM

I said that in response to this

AntonOP•11/24/22, 10:21 PM

I mean, I want them to be authorized the access to particular resources is what I meant

Callum•11/24/22, 10:21 PM

Callum•11/24/22, 10:21 PM

alternatively you can just use razor pages

Callum•11/24/22, 10:21 PM

and forget this exists apparently

AntonOP•11/24/22, 10:21 PM

It's not all public

AntonOP•11/24/22, 10:22 PM

this just validates the antiforgery token from the header

Callum•11/24/22, 10:22 PM

I mean the simple solution is to not just host your apps on a shared domain

Callum•11/24/22, 10:22 PM

And the browser won't begin leaking information between domains

Callum•11/24/22, 10:23 PM

https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-7.0, anyways this is what I could find on it

Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core

Discover how to prevent attacks against web apps where a malicious website can influence the interaction between a client browser and the app.

Callum•11/24/22, 10:23 PM

no point in me man in the middling it

Callum•11/24/22, 10:25 PM

If you're doing web api from client... then you retrieve an anti forgery token from the server in the response headers... and since it's randomised for every authentication and subsequent request you make, you send that one back and if it's not one of the generated values then you know it's not legitimate...

Gage•11/25/22, 3:57 AM

@AntonC I had a class on this recently. Here is the web link we were given, has a video on how to do it https://zarkopafilis.medium.com/asp-net-core-2-2-3-resti-api-24-setting-up-apikey-based-authentication-94169a051a5c

Medium

ASP.NET Core 2.2 & 3 RESTI API #24 — Setting up ApiKey-Based Authen...

Up until now, we are using JWTs to authenticate our APIs. In this tutorial, we are going to demonstrate how to use a static key throughout…

GGage @AntonC I had a class on this recently. Here is the web link we were given, has ...

AntonOP•11/25/22, 9:00 AM

thank you

Accord•11/26/22, 9:06 AM

Was this issue resolved? If so, run

/close

/close

otherwise I will mark this as stale and this post will be archived until there is new activity.