❔ Antiforgery token validation in API's
Antiforgery tokens are for preventing cross-site request forgery. Does that mean all sensitive API's should validate the token?
I haven't got into authentication and authorization in asp net core yet, should I learn that first and then I would become clear?
I mean, I have a razor page + api controllers app, and I was planning to use api controllers for all api-related things, so no form post request handling in the razor code. So I wonder is the authentication strategies used in the two approaches are completely different. I mean, razor pages would most likely use cookies on the client side to manage the sensitive user authentication information, while API's used in their pure form would just have a plain token, both I imagine would end up in the HTTP headers, so should they be validated in the same way? Should pure API's be trusted more? And then, isn't it possible to dynamically determine the authentication scheme, to use the same API endpoint for both sources of requests?
Again, this might become clear to me if I read some more material, however it's still vague to me for now.
19 Replies
I think most people just use CORS to prevent that attack.
So that you can only make requests to your secured API from a subset of domains thus you can't direct someone to a malicious site, authenticate & steal their auth credentials
So I can expect there to be no plausible way for an attacker to spoof the origin domain?
Well if you use a HTTPS secured site, typically you can ensure the site signature also matches. Though truthfully if they have access to the machine they can steal keystrokes or steal your password or even control your machine
By which point i consider that game over
But well this would make the API internal
which I don't want
The host file exists so you could rewrite google.com to point at localhost and given a convincing enough attack you may even enter in your username & password, but on the general internet assuming they can't access your machine
You say your API can only be accessed by site foo.com
Unless what you want is a public facing API that you also authenticate against yourself?
yeah you're right
i don't know what this means
public: i.e: everyone can access
At work I authenticate against company databases so we prevent this attack by hosting the api as a subdirectory of our application by going /api/
no they would have to be authenticated
Yeah then i think i'm correct
I said that in response to this
I mean, I want them to be authorized the access to particular resources is what I meant
alternatively you can just use razor pages
and forget this exists apparently
It's not all public
this just validates the antiforgery token from the header
I mean the simple solution is to not just host your apps on a shared domain
And the browser won't begin leaking information between domains
https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-7.0, anyways this is what I could find on it
Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
Discover how to prevent attacks against web apps where a malicious website can influence the interaction between a client browser and the app.
no point in me man in the middling it
If you're doing web api from client... then you retrieve an anti forgery token from the server in the response headers... and since it's randomised for every authentication and subsequent request you make, you send that one back and if it's not one of the generated values then you know it's not legitimate...
@AntonC I had a class on this recently. Here is the web link we were given, has a video on how to do it https://zarkopafilis.medium.com/asp-net-core-2-2-3-resti-api-24-setting-up-apikey-based-authentication-94169a051a5c
Medium
ASP.NET Core 2.2 & 3 RESTI API #24 — Setting up ApiKey-Based Authen...
Up until now, we are using JWTs to authenticate our APIs. In this tutorial, we are going to demonstrate how to use a static key throughout…
thank you
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.