-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Expand file tree
/
Copy pathMissingAntiForgeryTokenValidation.cs
More file actions
62 lines (54 loc) · 1.29 KB
/
MissingAntiForgeryTokenValidation.cs
File metadata and controls
62 lines (54 loc) · 1.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
using System.Web.Mvc;
public class HomeController : Controller
{
// BAD: Anti forgery token has been forgotten
[HttpPost]
public ActionResult Login()
{
return View();
}
// GOOD: Anti forgery token is validated
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult UpdateDetails()
{
return View();
}
// No validation required, as this is a GET method.
public ActionResult ShowHelp()
{
return View();
}
// Should be ignored, because it is not an action method
[NonAction]
public void UtilityMethod()
{
}
}
// GOOD: Base class has ValidateAntiForgeryToken attribute
[ValidateAntiForgeryToken]
public abstract class BaseController : Controller
{
}
public class DerivedController : BaseController
{
// GOOD: Inherits antiforgery validation from base class
[HttpPost]
public ActionResult InheritedValidation()
{
return View();
}
}
// BAD: Base class without antiforgery attribute
public abstract class UnprotectedBaseController : Controller
{
}
public class DerivedUnprotectedController : UnprotectedBaseController
{
// BAD: No antiforgery validation on this or any base class
[HttpPost]
public ActionResult NoInheritedValidation()
{
return View();
}
}