All rules
CA5391Security Enabled by default: No
Use antiforgery tokens in ASP.NET Core MVC controllers
Use antiforgery tokens in ASP.NET Core MVC controllers
Microsoft docsDescription
Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token might be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller.
Cause
Actions that result in modifying operations don't have an antiforgery token attribute. Or, using a global antiforgery token filter without calling expected anti forgery token functions.
How to fix violations
- Mark the modifying action with a valid antiforgery token attribute:
- Microsoft.AspNetCore.Mvc.ValidateAntiForgeryTokenAttribute.
- Attribute whose name is like
%Validate%Anti_orgery%Attribute. - Add the valid forgery token attribute into the global filter with Microsoft.AspNetCore.Mvc.Filters.FilterCollection.Add.
- Add any custom or Mvc-provided antiforgery filter class that calls
Validateon any class that implements the Microsoft.AspNetCore.Antiforgery.IAntiforgery interface.
Example
using Microsoft.AspNetCore.Mvc;
class ExampleController : Controller
{
[HttpDelete]
public IActionResult ExampleAction(string actionName)
{
return null;
}
[ValidateAntiForgeryToken]
[HttpDelete]
public IActionResult AnotherAction(string actionName)
{
return null;
}
}
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
class ExampleController : Controller
{
[ValidateAntiForgeryToken]
[HttpDelete]
public IActionResult AnotherAction(string actionName)
{
return null;
}
[HttpDelete]
public IActionResult ExampleAction(string actionName)
{
return null;
}
}
class FilterClass : IAsyncAuthorizationFilter
{
public Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
return null;
}
}
class BlahClass
{
public static void BlahMethod()
{
FilterCollection filterCollection = new FilterCollection();
filterCollection.Add(typeof(FilterClass));
}
}
using Microsoft.AspNetCore.Mvc;
class ExampleController : Controller
{
[ValidateAntiForgeryToken]
[HttpDelete]
public IActionResult ExampleAction()
{
return null;
}
[ValidateAntiForgeryToken]
[HttpDelete]
public IActionResult AnotherAction()
{
return null;
}
}
using System.Threading.Tasks;
using Microsoft.AspNetCore.Antiforgery;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
class ExampleController : Controller
{
[ValidateAntiForgeryToken]
[HttpDelete]
public IActionResult AnotherAction()
{
return null;
}
[HttpDelete]
public IActionResult ExampleAction()
{
return null;
}
}
class FilterClass : IAsyncAuthorizationFilter
{
private readonly IAntiforgery antiforgery;
public FilterClass(IAntiforgery antiforgery)
{
this.antiforgery = antiforgery;
}
public Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
return antiforgery.ValidateRequestAsync(context.HttpContext);
}
}
class BlahClass
{
public static void BlahMethod()
{
FilterCollection filterCollection = new FilterCollection();
filterCollection.Add(typeof(FilterClass));
}
}When to suppress
It's safe to suppress this rule if solutions other than using antiforgery token attributes are adopted to mitigate CSRF vulnerabilities. For more information, see Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core.
Your vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0