C
C#2y ago
Anton

❔ Antiforgery token validation in API's

Antiforgery tokens are for preventing cross-site request forgery. Does that mean all sensitive API's should validate the token? I haven't got into authentication and authorization in asp net core yet, should I learn that first and then I would become clear? I mean, I have a razor page + api controllers app, and I was planning to use api controllers for all api-related things, so no form post request handling in the razor code. So I wonder is the authentication strategies used in the two approaches are completely different. I mean, razor pages would most likely use cookies on the client side to manage the sensitive user authentication information, while API's used in their pure form would just have a plain token, both I imagine would end up in the HTTP headers, so should they be validated in the same way? Should pure API's be trusted more? And then, isn't it possible to dynamically determine the authentication scheme, to use the same API endpoint for both sources of requests? Again, this might become clear to me if I read some more material, however it's still vague to me for now.
19 Replies
Callum
Callum2y ago
I think most people just use CORS to prevent that attack. So that you can only make requests to your secured API from a subset of domains thus you can't direct someone to a malicious site, authenticate & steal their auth credentials
Anton
Anton2y ago
So I can expect there to be no plausible way for an attacker to spoof the origin domain?
Callum
Callum2y ago
Well if you use a HTTPS secured site, typically you can ensure the site signature also matches. Though truthfully if they have access to the machine they can steal keystrokes or steal your password or even control your machine By which point i consider that game over
Anton
Anton2y ago
But well this would make the API internal which I don't want
Callum
Callum2y ago
The host file exists so you could rewrite google.com to point at localhost and given a convincing enough attack you may even enter in your username & password, but on the general internet assuming they can't access your machine You say your API can only be accessed by site foo.com Unless what you want is a public facing API that you also authenticate against yourself?
Anton
Anton2y ago
yeah you're right i don't know what this means
Callum
Callum2y ago
public: i.e: everyone can access At work I authenticate against company databases so we prevent this attack by hosting the api as a subdirectory of our application by going /api/
Anton
Anton2y ago
no they would have to be authenticated
Callum
Callum2y ago
Yeah then i think i'm correct
Anton
Anton2y ago
I said that in response to this I mean, I want them to be authorized the access to particular resources is what I meant
Callum
Callum2y ago
Callum
Callum2y ago
alternatively you can just use razor pages and forget this exists apparently
Anton
Anton2y ago
It's not all public this just validates the antiforgery token from the header
Callum
Callum2y ago
I mean the simple solution is to not just host your apps on a shared domain And the browser won't begin leaking information between domains
Callum
Callum2y ago
https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-7.0, anyways this is what I could find on it
Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
Discover how to prevent attacks against web apps where a malicious website can influence the interaction between a client browser and the app.
Callum
Callum2y ago
no point in me man in the middling it If you're doing web api from client... then you retrieve an anti forgery token from the server in the response headers... and since it's randomised for every authentication and subsequent request you make, you send that one back and if it's not one of the generated values then you know it's not legitimate...
Gage
Gage2y ago
@AntonC I had a class on this recently. Here is the web link we were given, has a video on how to do it https://zarkopafilis.medium.com/asp-net-core-2-2-3-resti-api-24-setting-up-apikey-based-authentication-94169a051a5c
Medium
ASP.NET Core 2.2 & 3 RESTI API #24 — Setting up ApiKey-Based Authen...
Up until now, we are using JWTs to authenticate our APIs. In this tutorial, we are going to demonstrate how to use a static key throughout…
Anton
Anton2y ago
thank you
Accord
Accord2y ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server
More Posts
✅ Naming functions using stringsIn Kotlin, it is possible to name function as strings surrounded by ` `. Thus we can have white spac❔ How should i asociate button click as enterI want to make like if i press enter my app will give u the number but i dont know how to use input ✅ Check a box on a websiteHow can I check a box on a local website using c#? Havent found anything on googleIs it possible to create a program that just goes on a specific url,logs in and then activates smth?I wanted to create smth quick to enable/disable the routers 5ghz option.. it runs on a local/private✅ How should I structure 'exit points' in my program?Hey guys. I'm working solo on a project that involves opening an Excel file, sorting through and tr❔ Does this method cause boxing of value types?I was looking through the list<T> class and noticed that the Contains<T>(T item) method attemps to c❔ Help with realization Division by zero in wpf projectI want to throw out the error when dividing by zero. Since "Compute" gives infinity when divided by Get data from a model and display it as dropdown on client side in RazorHi, how do I retrieve data in a database from a model and show it in as my dropdown values in my raz❔ Help with DI, i have different connection strings but same behavior for query DBHi, i want to instance the same query service but with different configuration and i have no idea ho❔ Help with stream reading and writing and displaying information at a certain timeSo I am currently doing stream writing and reading and I need it when the user types the student ID