Cross-site request forgery: Webforms

Robin Michael -

Working through a legacy application that needs to post data using jQuery ajax to a controller service endpoint that validates against valid against crsf tokens

Find the master page

  • Embed the appropriately generated text/html with this helper method <%= AntiForgery.GetHtml() %>

Example

<body>
<%= AntiForgery.GetHtml() %>
....

Render as

Send the token with the ajax POST request

  • Grab the token "__RequestVerificationToken": $("input[name^=__RequestVerificationToken]").first().val() and stick it in the header of the request under the special header name of __RequestVerificationToken

Submitted as so